@Marc van der Kooy has joined the channel
Hi, has anybody had any issues enrolling BB KeyOne’s in Intune (or any other MDM vendor) since the latest security patch was released? We are using AE work profiles and the enrolment process freezes at the “registering device” stage..
@Wolfgang Bauer has joined the channel
am i right in thinking that Zero Touch on Intune still requires scanning on the QR code for fully managed device setup? i cannot find any information regarding adding in any DPC extra's to potentially include the token credentials?
*Thread Reply:* thanks @Mark Vonk and @Jason Bayton
Don’t know the guy (Bayton) but seems to have some good info on AE 😉
@Mathieu Beaugrand has joined the channel
does anyone know if you can specify a default password length when requesting a passcode reset on intune? trying to get a user to type the reset code given in my example here is just ludicrous. "Reset passcode completed. Temporary passcode for this device: ?P&Lgcji%&?UxF "
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory-domain-services/active-directory-ds-password-policy :
*Thread Reply:* On a managed domain, the following password policies are configured by default:
Minimum password length (characters): 7 Maximum password age (lifetime): 90 days Passwords must meet complexity requirements
*Thread Reply:* I guess the password reset is taking the password policy into account
@Johannes Harbs has joined the channel
We're about to test inTune MAM here. We're being asked by the security audit team on what specific anti-malware protocols are put in place by inTune. We've asked Microsoft but they are essentially sales rep and are giving us a very vague answer. Does anyone know any specific malware functions that are utilized by intune MAM?
MS is always very vague when they are not supporting something.... 😉 The only thing that is in place is basic jailbreak/root detection but even this is not perfect... I’m not sure it is completely bulletproof against semi-jailbreak or Magisk Root attacks
Yeah when researching inTune and anti-malware abilities, articles keep bringing up Windows Defender. But what about inTune and MAM for mobile specific anti-malware abilities? That's where we're running into a dead end.
There is nothing. If you want it, you gotta integrate Intune with a MTD/MTP solution like lookout.
How about the O365? Do you know if Microsoft offers any type of anti-malware functionality with their O365 stack? That's what we'll be implementing in inTune MAM by the way.
I'm not sure if we have that in our Microsoft stack, does that come with O365 by default?
Isn't Azure ATP just for Win10 and not for mobile devices? E3 doesn't have the ATP functionality in the license, you need E5 for it. https://www.microsoft.com/en-us/enterprise-mobility-security/compare-plans-and-pricing
azure ATP is phishing protection for email. It's a separate product from their AV product on windows / mac
If you want Mobile Threat Defense, my recommendation is Lookout, but I may be biased (I'm a sales engineer for Lookout)
Keep in mind that MTD distribution, activation and security action enforcement is difficult in MAM scenarios where the MTD is not included/integrated in the MAM solution.
@Marc Brandenburg has joined the channel
does anyone know if its possible to stage an Android Enterprise (Samsung) device in intune like you can with WS1?
*Thread Reply:* Staging functionality is not available in Intune. There is just Device enrollment manager for shared devices.
*Thread Reply:* Probably you can just add the device Serial no. for intune to recognize the device as corporate?
@Jacques Aing has joined the channel
Odd question but figured I'd get some unique answers here - What are your biggest arguments for keeping MDM clients OFF of InTune? It's difficult to put into words just how atrocious InTune is to use from a day-to-day admin perspective in a way that's tangible for folks considering InTune for no other reason than they think they get it for "free"
*Thread Reply:* Android support, Certificate management, Intune delegation...
*Thread Reply:* @JF Rigot Can you expand on the Android support issues? I haven't had a ton of hands-on with modern (7+) android enrollments - what's the issues there?
*Thread Reply:* The fact that Android COPE is currently out of scope, for instance. It's not that I get frequent requests on it, so far.. but still no-go for Intune. Zero touch enrollment is out of scope as well.
*Thread Reply:* Wow, I can't imagine that will remain that way for too much longer
*Thread Reply:* Those are egregious gaps lol
*Thread Reply:* I tend to think those gaps will be closed before the end of the year, especially when you see how much changes are occurring on the Azure/Intune side every day. Fingers crossed.
Does anyone know what this issue could be? Tried enrolling an Samsung A7 as BYOD into Intune demo tentant.
*Thread Reply:* When i press "Email support" the admin of the tenant should receive a message but its never received
*Thread Reply:* @JF Rigot i guess thats it's not device related as i cannot enroll a Samsung A5 either.
*Thread Reply:* Issue has something to do with the "MDM Authority". While it is setup as "Intune".
Logs: DETAILS Intune mobile device management (MDM) authority is not configured yet. RECOMMENDED STEPS Set the MDM authority under Device Enrollment in Intune in the Azure portal. If this is already configured, try again or contact support.
*Thread Reply:* After you switch to the new MDM authority, there will likely be transition time (up to eight hours) before the device checks in and synchronizes with the service.
*Thread Reply:* https://docs.microsoft.com/en-us/intune/mdm-authority-set#set-mdm-authority-to-intune
*Thread Reply:* @JF Rigot havent changed the MDM Authority at all. It's a Demo tentant which is not connected to local-AD or SCCM
*Thread Reply:* Ok, but has this been set to intune anyway?
*Thread Reply:* @JF Rigot as far as i can see, yes. Created a new demo tenant and no longer got the issue but that's a workaround, not a solution
Preview 2 for Android Enterprise fully managed devices for Intune was announced
*Thread Reply:* So with this, is this Microsoft's way of enabling COPE? Enabling Access to the Consumer Play Store
*Thread Reply:* Looks like quite buggy when reading out the comments down the article... too bad
*Thread Reply:* Agreed. Still a big road ahead for Intune.
*Thread Reply:* @Ajay Patel To my understanding, this preview offers the ability for full manage devices via Android Enterprise only (COBO). So far, Intune does not support COPE for Android Enterprise. Hopefully, the Intune team has it on there list of features for future releases.
*Thread Reply:* its a very interesting concept after testing. It uses the Google account that gets created to be able to download apps instead of the user needing to input a personal account. As the one that gets created cannot be used for anything DLP wise, its quite a good way to enable the play store but not give access to personal accounts. This is how i've interpreted it anyway. Someone please correct me if i've totally misunderstood this scenario
*Thread Reply:* @Ajay Patel that's how I understand it as well
Has MS released followup trainings/certs for InTune? MCSE: Mobility has been retired and I haven't seen a replacement. I just want to get trained up and certed with InTune
*Thread Reply:* Keep me posted if you know a replacement. Passed my MCSE:Mobility before deadline
*Thread Reply:* https://trainingsupport.microsoft.com/en-us/mcp/forum/all/mcse-mobility-replacement/78bc0ce3-e241-4122-a289-57c95ded1971
*Thread Reply:* My next goal is MS-101, although Intune seems to be just a third of the exam
*Thread Reply:* I’m aiming for Microsoft 365 Certified: Enterprise Administrator Expert (MS-100 and MS-101) + a prereq is required though. There are couple of options, but I’m going with Microsoft 365 Certified: Modern Desktop Administrator Associate (MD-100 + MD-101). Hope that helps.
*Thread Reply:* Look what I have found. https://www.inthecloud247.com/free-online-courses-for-microsoft-365-and-azure/
*Thread Reply:* @Dimi Both exams aren't really Intune minded right?
*Thread Reply:* with the new role based certification that is as close as you can get to it. MS-101 covers EM+S and intune is part of it. And you can’t have EM+S without the Identity which hs covered in MS-100
*Thread Reply:* it is oriented towards Win10 , but same principles apply to Mobile device management
@Daniele Crippa has joined the channel
What happens when you deploy Win10 devices with AutoPilot, auto-register them in a different MDM(like MobileIron) and then remove the P1/Intune license for the user? Does it have a negative effect on the use of the device? Can this be done to save costs for company's who want Autopilot but do not want to use Intune as MDM?
@Justin Butts check the #microsoft channel for replies 🙂
@Pradeep Purohit has joined the channel
Does anyone have any info when Android Enterprise Fully managed device will be out of preview?
i have a customer looking to start using intune to deploy some android devices using Corporate owned, fully managed user (preview) setup and the issue we are facing is that if we block the user from being able to add additional accounts, there are certain apps that cannot run and you get a prompt saying this action cannot be completed. If you enable the ability to add accounts, then the users can use the app no problem, however that then opens up a whole heap of DLP nightmares!! Anyone faced this issue or know of a workaround?
*Thread Reply:* @Ajay Patel this is troubling but confusing - which apps stopped working? I would like to test this in other MDMs
*Thread Reply:* glad this is not just me that thinks this! One of the apps is Salesforce field service lightning
does anyone have any experience with MFA and DEP on intune. We are encountering an issue with a customer whereby we can get the device through the initial setup assistant and download the company portal in Single App mode, however upon signing in and entering the MFA code, it prompts that more information is required and then wants the device to go through enrolment (conditional access rules in place to say enrol into Intune for access to any company access) BUT the weird part is it prompts to download the company portal app even though we are inside the app already!
@Ajay Patel maybe it's one of new features/changes in Intune: https://docs.microsoft.com/en-us/intune/whats-new
*Thread Reply:* I managed to resolve this! Make sure you select the right region for the App store is the resolution!
@Roberto Arredondo has joined the channel
@Dan Cuddeford (Wandera) has joined the channel
@David Arvidsson has joined the channel
@Timothy D has joined the channel
Does anyone know if you can publish a Client app into the Company portal but hide it from everyone? I think if you assign it to device instead of a user this works, but wanted to see if anyone else can provide additional info.
*Thread Reply:* Why do you want to publish an app to everyone and then hide it on all devices?
*Thread Reply:* Some apps which are system utilities that are published for auto-deployment to devices. (such as a new endpoint client) for Windows 10.
@Markus Güntner has joined the channel
people need to get their private calendar in the app on work profile. Adding accounts is allowed and works, but not for google accounts... any ideas?
*Thread Reply:* Don't have access to an Intune environment at the moment, but at least in WS1 there is an option for "allow adding accounts" and "allow adding Google accounts". So maybe one of those is disabled?
*Thread Reply:* Ah, maybe thats the problem... in Intune there is no option for adding google accounts, but only to add accounts.
Anyone have anything willing to share with capability comparison between ideally intune, MI and WSO?
The biggest minus I see in Intune right now compared to WS1 is the lack of COPE. And also overall Intune is still very much in development and doesn't really feel mature. The lack of a "remove and reapply profile" feature for example is really annoying. Or when you search for a device with a serial number you know exists and nothing comes up. Or when you go into a user, choose devices but can't see any details, you can only see that if you enter from the devices option. Or when you add a device to a group and you get a list of 100 identical "iPhone" entries with no way to tell them apart.
It all works in one way or another but not exactly user-friendly compared to WS1. And I really hate the horizontal scrolling. But that's a personal thing.
I mean it works but it's not as solid as WS1. Compared to MI I have no idea as I've never used it.
One point in favour of Intune though: Microsoft is putting real effort into their API, going as far as building simple Powershell commandlets you can use. That's way better than WS1s API which isn't documented very well and what is documented often contradicts itself. And is limited in the number of calls you can make per day. The MS approach really shines.
*Thread Reply:* I find the WS1 APIs super easy to use in Powershell and ok documented on the https://<server/api/help/ web docs. What are you missing ?
*Thread Reply:* I've had several instances where the PDF and online docs were contradicting and were in fact both wrong (otherwise I'd have figured it out)
*Thread Reply:* It took weeks to sort out with support
*Thread Reply:* Most of the issues were related to specific values needed. Those aren't well documented especially on the web help. Like for sending a message. It mentions you have to specify a service but not what it should be. The pdf version mentioned some values but they were actually incorrect.
*Thread Reply:* Use the API Explorer, it's lightyears ahead of the old PDF docs
*Thread Reply:* Yes but it's even worse in terms of documentation of some things (like expected values for some of the inputs). That's why I still keep the PDF around. I know it hasn't been updated since 9.3.. In every other way it's better, yes 🙂
Yeah if you have very basic requirements it will do.
Cheers @Tycho @Sharkey Unfortunately it's not simple requirements... - we are AE Cope and WP; Rugged; Android/iOS; 100's internal apps; VPN; VPP/DEP and ABM; VIdM for seamless auth; API dependent (ServiceNow amongst others) but getting the std push to review MS again.... All of this helps for sure so appreciate your comments as it helps to reinforce concerns with real examples!
And getting Microsoft to help will also be an issue I imagine. Bug fixes and feature requests will be a bear based on past MS experience.
Speaking from Rugged Android experience with Intune, it really does not hold up at all compared to the other offerings. Their DPC for DO is basically just the Google DPC so it only supports features that Googles adds natively to AE instead of offering any additional capabilities like direct APK installation, android file system interaction, scripting, etc.
Trying to roll out a custom OMA-URI for Google Update and have been running in to a wall for the past two days. I've gotten the ADMX ingested OK. I can disable, the policy just fine, however I cannot get the setting I want enabled.
@Bhaskar Chandra has joined the channel
Does anyone has experience with deploying PKCS-cert's on iOS with Intune for Wifi ? Customer has PKCS already in place for Windows 10 machines(via xml pushing methode) but wants us to implement the same strategy for iOS devices. It's a goverment related organisation so they have a lot of protocols/ports closed. They do however have a Cert Connector in place. We created the following: profile1: Trusted Cert = Root cert (is deployed to the device) profile2: Trusted Cert = Intermediate cert (is deployed to the device) profile3: pkcs profile = for requesting personal cert. Works. personal cert is on the iOS device (is deployed to the device) profile4: wifi profile = Wifi Enterprise, AEP-TLS. Pointed to profile3 for Cert Requesting and to profile2 for the intermediate cert
profile4 status is staying at "pending" when i check the Profile Configuration of the device. Device does sees the Enterprise Wifi. Asks for a username/password when user tries to connect. When user chooses client certificate, password hides. user fills in his emailadres and is able to continue. Needs to trust the "untrusted" cert and can connect to the Wifi.
My guess it has something to do with the following url. However the poster of the issue has it resolved but there's no resolution https://techcommunity.microsoft.com/t5/Microsoft-Intune/Devices-not-connecting-to-WPA2-Enterprise-EAP-TLS-wireless/td-p/295342
We have the same configuration, if you like I can show you how it's set for us
One thing that was a "catch" for us, was that all these profiles have to be assigned to exactly the same groups of users
or devices.. Setting one (eg the root CA) to "all users & devices" and another one to specific groups didn't work
Intune is still a POC right now, all assignments are on "All Users" at the moment.
Hm ok this for us was the reason stuff stayed in Pending
If you like we can do a quick screen share because it works for us
We're planning to move to SCEP but the connector config is more complex
No SCEP for the customer either. I dont have acces to the customers tenant at the moment. I'll send you a PM
Hi, @here. Why would some of the apps deployed via Intune prompt for UAC and some would not ?
*Thread Reply:* it is an exe app that was wrapped in a msi
*Thread Reply:* When a exe is wrapped in a MSI, it depends on which method they are using? Do they use a tool like SCCM or any other package builder… the package builders add the UAC rules as a process of the package…
*Thread Reply:* that what it was by the looks of it, wasn’t packaged correctly.
*Thread Reply:* managed to get it sorted, kinda. Now app has installed but reports as failed, even though it has installed sucesfully.
*Thread Reply:* probably need to tinker with the packaging tool a bit more.
@Pierre Laurier has joined the channel
Question: How are you handling a multi tenant operation in one InTune instance. In Ws1 I have 70+ org groups where admins work within the group. Can this be achieved in InTune?
*Thread Reply:* Objects (configs, apps, devices...) can be tagged with scope tags and these tags can be used for access delegation to tagged objects. But WS1 is much more flexible as each OG can be totally independent.
*Thread Reply:* Yeah, that's how it needs to be for me, the independence is a key feature.
*Thread Reply:* Basically config needs to be created and tagged by someone with global rights. Also integration with Google, Apple etc. is per instance only...
*Thread Reply:* Can you have multiple DEP tokens in one Intune?
We do not have organisation group concept in Intune but the admins roles can be restricted to the specific groups on which the devices are enrolled and managed…
*Thread Reply:* Are these groups able to overlap? Thanks
*Thread Reply:* Scope tags are your friend. Object can have multiple scope tags.
Hi @here what questions should I expect on a phone interview for an Intune EM+S consultant role? Your suggestions are much appreciated.
Does anyone have any experience with COBO on Intune? I need to implement this but I heard there were many issues with it still (it was only added in May). It also seems to be still in "Preview" according to the documentation.
*Thread Reply:* It uses the "new" Android API which is not fully finished yet, The part that is finished is also not fully implemented by Microsoft. Best thing is to just try it out for your cause. We tested it and it's not as we would like it to be. For example, we needed "Camera" app.
*Thread Reply:* Thanks! That doesn't sound good 😞 I'm trying it out now anyway.
*Thread Reply:* Is there User Affinity on COBO?
Hey everyone. Regarding the built in intune All Users, All Devices and All Users and All Devices groups. What’s the use case for each one? I want all enrolled devices to have a baseline security policy. Seems like I should choose All Users and All Mobile Devices go gave full coverage? Current we have it deployed to a user group
Also any gotchas switching from an AAD user group to built in All Users and all devices group?
@Jason you can use those builtin groups but it's better to create own groups.
@Jason I tried to enroll mobile devices into certification-based wifi but it didn't work with built-in groups. @Tycho had the same problem and the solution that microsoft provided was to create custom groups.
*Thread Reply:* The root certificate for server validation and the certificates (in the wi-fi profile) must be assigned in the same way like the wi-fi profile... all assigned via user group OR device group... not mixed...
*Thread Reply:* I didn't have it mixed, I knew that. But it still didn't work. After a lengthy support case they told me that all components of the WiFi profile (root certs, user cert, WiFi profile) must be assigned to the exact same group. I did that and it did indeed work.
*Thread Reply:* i my case the new (correct) configuration worked only on new enrolled devices
Would the Wifi profile work with a device group or does it need to be a user group
i prefer using the built-in groups only in demo tenants and using custom groups (mostly dynamic) when it's in production
So if you wanted all devices to have the same restrictions policy for android enterprise you would use a dynamic user group or dynamic device group?
If you want to assign a restriction policy to all Android Enterprise you should be able to create a Dynamic Group for that
Dynamic device or dynamic user? Assume you mean dynamic device?
Something like device.OSType -eq Android enterprise
I still use all devices for a lot of stuff because dynamic groups take many hours to create 😒
Does anyone know whether line-of-business apps are supported for COBO? They're not deploying for me 😞
*Thread Reply:* Yeah I noticed that too. You can use the Managed Google Play store and upload your in-house apps there though
*Thread Reply:* Hm yeah the problem is it's a third-party app that's just not in the store, not sure if they'd like us uploading it. Though I could probably limit its exposure to just us.
*Thread Reply:* If you are talking about the iFrame, it is a private app store and should only be available to your organization's devices.
*Thread Reply:* OMG I just noticed that WiFi enterprise is also missing for COBO 😳
*Thread Reply:* If I select the one under Device Owner Only:
*Thread Reply:* Then there's no option for enterprise anywhere
*Thread Reply:* It's called Android Enterprise for a reason..
*Thread Reply:* Oeps sorry, selected Work Profile WiFi
*Thread Reply:* No for COBO, no Enterprise WiFi
*Thread Reply:* It is still in preview of course…
*Thread Reply:* Yeah I hope they'll fix this soon. I've already asked our TAM
*Thread Reply:* I know it's preview but this was an urgent request that landed on my desk 😞 Sorry for my annoyed message there 🙂 It's just difficult sometimes to convince people things are not my fault and I end up having to do that a lot since we started using intune. We're very good at finding the weird edge-cases here
*Thread Reply:* Microsoft said the Enterprise WiFi should be in the August release, general availability of COBO should be in September.
*Thread Reply:* Yes we are investigating COBO Intune but won't be making a move until probably the start of next year. We need KME working as well
*Thread Reply:* Intune is still really bad for COBO/COSU. I don’t envy any admin stuck with it for that management use case. Uploading a third party’s private app to the play store will consume that package name/ bundle ID as they have to be unique, even for private apps in Managed Play. The developer is not going to be happy about that.
*Thread Reply:* :eek: thanks @Matt Dermody then it's definitely not a good idea to upload that third party app. I've already asked them to publish it themselves.
*Thread Reply:* Or ask them to repackage it with a customer specific name. In that case uniqueness of the name/ID is not an issue
*Thread Reply:* True, that's an option too.
But they have other apps in the store, just not this one.. So it should be a small effort for them.
how can i enable "debugging features" for Android Enterprise Managed Profile with Intune? I want to deploy an apk via adb to the managed profile. I think by default (intune) the user restriction "DISALLOWDEBUGGINGFEATURES" is set to true. see here: https://docs.microsoft.com/en-us/intune/compliance-policy-create-android-for-work#work-profile > Block USB debugging on device:
"You don't have to configure this setting because USB debugging is already disabled on Android Enterprise devices."
I don't think this is true. I have many devices on intune where I use ADB. We didn't change any settings regarding this. This is Work Profile devices by the way.
Where does one get started using inTune? Any good resources you can refer me to?
The docs mainly, and any technical contacts at MS if you have them. https://docs.microsoft.com/en-us/intune/
And of course us here!
We had a workshop with MS also when we started, but I don't have the presentation anymore, usually I just keep my own notes and take screenshots, not sure if they ever even sent it.
Also, sooner or later you will need to look at the features "coming soon" because there's bound to be some you're missing 😉 https://docs.microsoft.com/en-us/intune/in-development and https://docs.microsoft.com/en-us/intune/whats-new (the first link is officially NDA but has already been posted here before)
Thanks! I've been told to "play around" with InTune now 😉
Do not fall to the dark side
If anything i have to play around and show how the solution is not really a solution at all
If you have to do anything with ruggedized / dedicated devices I’ve got plenty of ammunition for you. I seriously hope they get better because there are a lot of folks “playing around” with it right now
Anyone have any good resources they could share regarding InTune and Bitlocker?
*Thread Reply:* https://sccmentor.com/2019/01/22/keep-it-simple-with-intune-3-disk-encryption/
Hey all. Has anyone noticed that when using a dynamic device group intune takes a while (45 min today for me) to queue up any policies assigned to that group? The group is populated pretty quickly but intune isn’t aware of it for a while.
*Thread Reply:* Indeed its related to their polling schedule
*Thread Reply:* Sadly there is no real solution to speed it up
Hi guys does any one have a information when Intune get the Android Enterprise fully managed with Workprofile (COPE) capabilities?
AE workspace only or fully managed is also only avail via PREVIEW so no stable yet
Its said that it should be in before the end of calender year
the AMAPI will support COPE in Q3. So, after that, Microsoft, will be able to develop and support it
@Sunith Mandalia has joined the channel
Hey guys! How do I handle Android Enterprise migrations with Intune?
Create different enrollment restrictions and apply to different groups? But what about existing DA devices, do they need to re-enroll to be converted in to AE Work Profile?
*Thread Reply:* Hey Anton, yes indeed use the enrollment restrictions to setup a pilot group and re-roll is indeed necessary to activate work profiles doe already enrolled user
*Thread Reply:* Sweet jesus.. really? Welcome to Intune! 🙄
I'm not surprised at all. https://www.microsoft.com/en-us/microsoft-365/blog/2019/08/14/microsoft-is-a-leader-in-the-gartner-magic-quadrant-for-unified-endpoint-management-2019/amp/
*Thread Reply:* Somehow I find this misleading. I feel like it's padded by the Win10 adoption rate using InTune.
*Thread Reply:* Yep, the Gartner ratings are laughable really. Intune is a good year or more behind WS1/MI in terms of Android support, but yet they are still a leader in UEM? Also, some of the cautions vs strengths that they discuss in the report are dubious and sometimes factually incorrect.
*Thread Reply:* Gartner isn't really aimed at advising people like us... It's advising people many levels above us. Where being a trillion dollar megacorporation counts massively (Think "Nobody ever got fired for buying IBM"). They look at things like how much R&D budget is thrown at a product and tickmarks on spec sheets, not how well it works in real life.
This also aligns very well with Microsofts strategy at selling to the highest levels without getting the people who actually have to make stuff work involved.
That's how you get all the things like "Feature X is still in preview", "We decided to change how we do this so everything we said before is now changed", "We don't work that way so just change the way you do things". Many of those caveats are often "forgotten" in the sales presentations so it then makes us look really bad for not getting things to work. 🙄
PS: I do think Microsoft has some really strong products. Azure is one of them, and automation integration is great across the board (think powershell). But Intune isn't one of those strengths yet and they seem to be selling it as if it is.
*Thread Reply:* Agree, but at the same time whole M365 suite of apps works really well as UEM. If you rollout a WIN10 device I would not chose anything else.
You got everything in one package: Endpoint protection, Identity management, Security, Information protection, MDM, the list goes on.
And once they catch up with Android and they will catch up eventually. Every other UEM will have to work hard to compete with them.
Not to mention how you can easily Automate and integrate different parts of the whole Azure stack.
I come from the Workspace One background but recently got involved in some Azure/EMS projects. It just works.
*Thread Reply:* Having everything in one basket isn’t always the best move either. All depends on your IT strategy.
*Thread Reply:* True, but ~majority~ some of MDMs are becoming UEMs. Once you choose one you stick with it and it will be hard to compete with MSFT
*Thread Reply:* You can manage Infrastructure as code, imagine having UEM as code. Manage everything with a PowerShell script.
*Thread Reply:* I typically use powershell to do WS1 work already :)
*Thread Reply:* I didn’t realize you can do it. What parts of it you can manage ? What do you use it for?
*Thread Reply:* The API allows you to do so many daily activities via many channels. You could code your own console if you so desired. Or integrate tasks into other systems like service now etc.
*Thread Reply:* @Dimi What devices are you managing when you find "it just works"?
My experience with mobile devices is quite the opposite to be honest. Many features either don't work, are designed in such a way that they're really hard to use or work completely different to other UEMs etc. Some examples: Reporting is in its infancy (they decided to completely redesign it earlier this year), android webclips still don't work properly, search boxes that return hundreds of literally the same name ("iPhone") with no way if finding which ones to choose etc. Getting some types of profiles to actually deploy was really tricky too (like WPA2 Enterprise with certificates)
Perhaps when managing W10 devices it works better but for mobile devices I would not call intune an industry leader yet. But I would also choose Intune for W10 for sure - if only to avoid the finger-pointing between Microsoft and the UEM vendor when there's issues 🙂
They are working really hard on it (by far the hardest of all the UEMs I know) and every month there's major new features and bugfixes. But they still have a way to go IMO.
Also, the deep integration with other MS products has made our lives a lot more difficult. We have many teams to manage other MS products already like Identity, Directory and O365 teams. They all own different bits and because of this we won't get full access ("global admin") to the platform which we did have for Workspace ONE. You do need this to manage some things so we always end up having to find someone willing to help which makes the deployment and troubleshooting process slower. Of course I don't blame Microsoft for this as it's our own organisation structure but it doesn't help my enjoyment of the job.
*Thread Reply:* @Sharkey yeah the API is great, you can even do some things there that you can't do in the console. Like moving a device to a different owner (at least I've never found a way to do this in the console). Sometimes the domain name gets screwed up and it really helps to move a user's devices to a temporary owner while I delete the affected user's account and recreate it. This way they don't have to unenroll al their stuff.
*Thread Reply:* @Tycho My experience with Intune was based on win10 Surface Go deployment. Comparing to Android deployments , Win10 was one of the quickest one. Autopilot was a game changer, the device went from distributor straight to end user. It wasn’t the most complex deployment, but I loved how it went. Not to mention the cost savings for not having to pre provision the device or manage the Gold Build image. It just worked. I’m have no doubt that MSFT will get Android to the similar state in no time.
*Thread Reply:* IMHO handing Over “Global Admin” to everyone is not the best idea no matter what product you use. RBAC does a pretty good job and you can be very detailed who gets access to what.
How do u guys do location tracking for android devices in Intune as this is not native build in
Has anyone experienced the beta version of Intune company portal showing up in managed google play?
Has anyone had any success with building PowerShell Scripts within Intune? Or put another way... With iOS enrollments it takes over 30+ minutes for apps to be distributed to the devices. Any workarounds here besides a possible powershell script that would refresh the AAD Groups for new members?
What types of groups are you using to target the apps? Dynamic groups are known to cause a delayed rollout. AD groups should typically be almost instant in my experience
@Mark Vonk Dynamic Groups. Can't do AD groups b/c we needed 4 different groups of people for Apple DEP enrollment (Sales, Corp, Admin, & others) so we split
If you can edit the groups using Graph, this might help.
https://docs.microsoft.com/en-us/graph/api/group-update
That would trigger a resync. But still, the resync will take some time too
@Torben Volkmann has joined the channel
@John Zmyslowski has joined the channel
@Christoffer ST has joined the channel
As per info ... I just got off the phone with MS on an issue and figured I'd pass this along. With regards to iOS VPP apps being pushed down to Apple DEP managed devices:
Did anyone got KME working with Intune? KME profile assigned to Samsung KME device, 1 with user credentials in KME and 1 without. Both devices the Company Portal app crashes at homescreen after setup
*Thread Reply:* yes, we had it working. Haven't tested lately
*Thread Reply:* Im trying to get KME devices enrolled in Corporate-Owned(preview) but no succes today. tried 2 different model devices (Android 8 and Android 9)
*Thread Reply:* @Marc van der Kooy what error are you getting? I was able to get ours working
*Thread Reply:* works for me too, make sure you use the correct MDM agent URL in your KME MDM profile (https://aka.ms/intune_kme_deviceowner)
Noob question - InTune Apps - Delete App is greyed out for VPP apps. Is there some other workflow for removing VPP apps in InTune?
*Thread Reply:* Hey Justin. VPP apps are assigned in Apple Business Manager, so it’s unclear what deleting one in an MDM would do. What I’ve done is, in ABM, I make a new location called “Parking Lot” and assign all licenses for unwanted apps there. Once you have no assigned licenses for a VPP app, InTune may allow you to delete it.
*Thread Reply:* Yeah I mean I can delete VPP apps straightaway in other MDMs
*Thread Reply:* Just wondering if I was missing something for InTune
*Thread Reply:* Hi Justin, it is not currently possible to delete VPP apps from Intune
*Thread Reply:* @Leon Thanks! gotta ask....why on earth not?
*Thread Reply:* I am not sure TBH, it kinda sucks. Let me do some more digging. It did take a while for the ability to remove Managed Google Play apps within the console, seems like Microsoft are heavily investing in the Android space at the moment
@Daniel Vodrážka has joined the channel
I’m new to Intune (primary WS1 admin). I have a noob question too: Is it normal, that everything (especially Win32 app) take long until they are available in the console and even longer until they are visible to the clients?
*Thread Reply:* yes, Intune is very "asynchronous" in nature....
*Thread Reply:* That’s the answer I was afraid of. 😉 In this case I have to train my patience
*Thread Reply:* and coming from WS1 this is quite something to get used to. unfortunately
*Thread Reply:* So true ... but now I can tell the difference between both at least
*Thread Reply:* Yeah when u upload apps, they are synced in the background on regular times. So depending when u upload it can take alot of time. Sadly there is no list of these times
@Nicolas SEVERE has joined the channel
Hey guys, noob question about Managed Home Screen. Is there a posibility to show the in going calls ?
*Thread Reply:* If I disabled the Managed HS works right.
Anyone have any success locking out document leakage from MS iOS native apps when using a 3rd party enterprise storage providers such as Box? Specifically around saving to Dropbox, etc with any combo of Intune EMM / MAM policies. To clarify I don’t mean by using a separate app like Box EMM but by allowing MS iOS apps the ability to directly Auth to Box so we can natively use the MS apps
*Thread Reply:* Do you mean enabling box but disabling dropbox and others in the Word app for example?
*Thread Reply:* yes but honestly we don't really care how the control is achieved as long as is prevents the user from saving a copy
*Thread Reply:* You need to send the UPN as part of the config to tag documents as work docs. There is a blog post on MobileIron website that gives some high level guidelines for dual persona apps. In that case Microsoft apps
*Thread Reply:* This will help in the MS Office Container, but also when using manged open in with other apps (open Container)?
*Thread Reply:* @NicolasR do you mean the IntuneMAMUPN app config? We are doing that
*Thread Reply:* What I found is the following
“Managed location needed for Office
A managed location (i.e. OneDrive) needed for Office. Intune marks all data in the app as either "corporate" or "personal". Data is considered "corporate" when it originates from a business location. For the Office apps, Intune considers the following as business locations: email (Exchange) or cloud storage (OneDrive app with a OneDrive for Business account”
*Thread Reply:* https://docs.microsoft.com/en-us/intune/app-protection-policy
*Thread Reply:* I think the issue is that Box isn’t being considered part of “Corp Data” which expected but trying to find a solution. Same for iOS Mail attachments from the Managed Profile. If I take that attachment into MS Word I can then save that to Dropbox as well. The mail profile is pushed by MI EMM and using CBA to O365. Not sure if an OAuth profile would behave differently
I will not comment this as I’m not objective anymore. Just that I have the feeling of reading 2013 news
*Thread Reply:* Weird, Adobe was already on the SDK list of Intune for a very long time. If you google you can find documents dating back to 2015 about Adobe supporting the Intune SDK...
*Thread Reply:* Totally agree with you guys. This makes me sick
*Thread Reply:* @Mark Vonk the difference is that now Adobe integrates this into their main app, there will be no more “Adobe for Intune” app, just “Adobe”
Hello guys,
I have encountered a major issue after enrolling devices. Actually, I am using the Android Work Profile enrollment mode for my devices and I also provisioned my Client Apps through the Google Play Managed platform. After enrolling the device, the Apps are deployed, but I can't add a google account on the Applications in the Work space of the device. Note that all these Client Apps are G-Suite apps. The error received when trying to enter the Google email credentials is "Action Forbidden, you are not allowed to perform this action, please contact your administrator". Could you please help me out with this issue?! Thanks in advance!
Best regards.
*Thread Reply:* Yeah the ghost google accounts are NOT a g-suite account. So its either that or u have restriction active on the adding accounts
*Thread Reply:* I reviewed all my restrictions and I don't think there is one which is affecting the later.
Is there a MS blog/site that shows current known issues with Intune?
@Josh Thompson has joined the channel
https://twitter.com/msintune/status/1173378844759191552?s=21
*Thread Reply:* Uhmm did they had their computers turned off for the last 2 months?
Hi Folks, has anyone used EBF Onboarder for Intune with iOS DEP devices?
Yes we piloted it. But for DEP it gave no benefit as you need to do a full wipe anyway.
*Thread Reply:* That was my thinking, but they sell it as if DEP is somehow supported.
*Thread Reply:* This tool claims to migrate iOS DEP devices without wipe - https://docs.exodus.tools/dep_workflow/. There are a couple of caveats, but it might be useful for you. I haven't used it.
*Thread Reply:* I tried the EBF tool and it didn't do anything special with DEP. It just guides you through the process. I think it triggers the wipe too but I didn't test the DEP flow personally.
Interesting about that Exodus tool by the way! Will have a look at that. As they say it's not the "official" method, but the wipe is really painful.
*Thread Reply:* I have limited exp with DEP, but I was under impression that you would have to move and sync existing devices to a new virtual server in ABM and then factory reset them.
*Thread Reply:* I dont think exodus can change iOS device behavior. My guess would be they do an retire without wipe. But thats not a good move for an DEP device in my opinion.
*Thread Reply:* Yeah it sounds like a dirty workaround
*Thread Reply:* But it may be less painful than the full wipe
For the scenarios that did make sense we made something in house
Hello everybody, is there an way to realize perAppVPN with Windows 10? For example: Rolling out a LoB application which is always using a VPN after starting when it is not in the company network.
*Thread Reply:* Do you have a VPN solution available to you? Intune does not have it, so you will need your own. Or use Azure Application Proxy (when possible)
*Thread Reply:* If you have a VPN solution, please use their documentation to create a per-app vpn. Or use the VPNv2 CSP: https://docs.microsoft.com/en-us/windows/client-management/mdm/vpnv2-csp
*Thread Reply:* you can restrict the minimum iOS version required for enrollment at Intune - Device Enrollment - Enrollment restrictions. For already enrolled devices, you can create a compliance policy.
I have encountered a major issue after enrolling devices. Actually, I am using the Android Work Profile enrollment mode for my devices and I also provisioned my Client Apps through the Google Play Managed platform. After enrolling the device, the Apps are deployed, but I can't add a google account on the Applications in the Work space of the device. Note that all these Client Apps are G-Suite apps. The error received when trying to enter the Google email credentials is "Action Forbidden, you are not allowed to perform this action, please contact your administrator". Could you please help me out with this issue?! Thanks in advance! Best regards, Pierre BILONG
Did you allow account to be added to the work profile in the configuration?
Apps from unknown sources are blocked as well.
Gsuite applications in the personal space work very well.
Yeah, the fleet is essentially composed of Samsung Xcover 4 devices.
Enroll it with WS1 or MobileIron you’ll have the same issue
Could you please send over a link for me to dig more?!
nope, sorry, it’s just something I remember from a case or 2 we had here
But I remenber i tried this with a Pixel 3 device on my Intune Lab console and I had the same result...
maybe the apps don’t have the permissions but I’m sure I saw something related
and anyway try to enroll with MobileIron you’ll see if the behavior is the same 😄
Hi folks, do you know a good resource where I can learn about security baselines. (excluding documentation)
Hi peeps, me again, is it possible to block specific URLS using Intune ?
*Thread Reply:* Do you mean blocking them from being visited in the browser?
Some browsers might have that capability but there's no system-wide blacklist AFAIK. You may be able to leverage platform features like parental access on iOS.
Also you could route all of the traffic through the company (always-on VPN) and do it that way perhaps but it comes with many problems (logging into captive portals, networks blocking this etc).
*Thread Reply:* Yeah, looks like it. I came up with a workaround. Added entries to the host file. 127.0.0.1 www.facebook.com. Using a PowerShell script
*Thread Reply:* I mean I'm sure it's there but I 'm really surprised you can mess with it.
Good news from Microsoft!
iOS User Enrollment in Preview Apple's iOS 13.1 release includes User Enrollment, a new form of lightweight management for iOS devices. It can be used in place of Device Enrollment or Automated Device Enrollment (formerly Device Enrollment Program) for personally-owned devices. Intune's Preview is supporting this feature set by letting you:
Target User Enrollment to user groups. Give end users the ability to select between lighter User Enrollment or stronger Device Enrollment when they enroll their devices. Starting on 9/24/2019 with the release of iOS 13.1, we're in the process of rolling out these updates to all customers and expect to be completed by the end of next week
*Thread Reply:* Can’t find any official documentation on this.
*Thread Reply:* Check out https://docs.microsoft.com/en-us/intune/whats-new
What is your approach in managing DEP an BYOD devices in same estate. Do you use different configuration profiles for your Managed (DEP) and BYOD devices or do you have one configuration profile that applies to all devices? Expecting not all of the restrictions to apply for BYOD devices.
*Thread Reply:* i prefer to seperate them. you can enfore/set way more settings on a DEP device then you can on a BYOD device.
*Thread Reply:* so you would apply profiles to devices rather than users ?
*Thread Reply:* depends on the use-case. In some company's the users have an phone and a tablet, do you want the settings of those seperated or all the same?
*Thread Reply:* in my use-case user will have corp iPad(DEP) and BYOD iPhone.
*Thread Reply:* I was thinking to have one configuration profile and apply it to a User and then depending on the type of the device the profile would apply fully or partially.
*Thread Reply:* I personally would split it. not just because of the settings (which are fully applied on DEP and partially on BYOD) but also to maintain the overview in configurations. you are not limited on a few configurations, you can create as many as you want.
*Thread Reply:* How would one split them ? if profile gets applied to a User.
*Thread Reply:* this is what I can't make sense of. Do I create dynamic device groups and split them this way? and apply conf profiles to device groups ?
*Thread Reply:* @Marc van der Kooy can you describe in high level, what was your approach in separating BYOD devices from CORPORATE.
*Thread Reply:* @Dimi i cant really. It's just my personal opinion. I prefer to seperate these config profiles to keep the overview
*Thread Reply:* ohh, i though you have implemented something like this. Thinking out loud, If you would, what would be your approach ?
*Thread Reply:* @Dimi i have and i already told you that i prefer to seperate config's especially when it's seperation is between BYOD and DEP. But go ahead and try whatever works best for you...
*Thread Reply:* For anyone who is interested how this can be done. I have created a dynamic group with following syntax: (device.deviceOwnership -eq “Personal”) -and (device.deviceOSType -eq “iPad” -or device.deviceOSType -eq “iPhone”) this way all Personal iPads and iPhones will be added to this group.
*Thread Reply:* The only prob i found with dynamic groups is they take forever to update/refresh. So your devices may not receive any policies for few hours.
*Thread Reply:* @Mathieu Beaugrand is there another way to do this ?
*Thread Reply:* @Dimi, Unfortunately there is no straight forward answer, at least at this stage. Microsoft message is to protect the identity and data (with flag and classification) regardless of device type and ownership. So if you are trying to follow this philosophy, then it means a global set of policies based on user as opposed to device type/ownership.
With Intune's Apple DEP deployment using User Affinity, does an admin need to assign the Company Portal VPP App also in 'Client Apps' or just only through the Apple DEP Profile?
*Thread Reply:* Hey @Timothy D we did the same thing. You'll have to do both I believe in order for this to work.
@Timothy D, i would do both, so user can actually re-install from the catalog if required.
/poll “What is your approach to applying Device Restrictions policies” “User Group Based” “Device Group Based” “Ain’t nobody got time for that” anonymous
*Thread Reply:* Interesting, so it is almost equally split in the middle.
@Jason Bayton feel free to use this extensive data-set for your survey . 😁
Hi folks, can someone clarify if iOS compliance policy is able to enforce the setting or only performs following actions (e.g. marks devices as non compliant and/or send user an email) for a non compliant device.
*Thread Reply:* The only options you have are to Send an email or to remotely lock the noncompliant device.
*Thread Reply:* A compliance policy does not enforce settings, it only checks the settings and marks a device a compliant or not. Enforcement of settings is done with configurations
*Thread Reply:* @Mark Vonk, you'd think so, but some settings in Compliance Policies are actually acting as a Configuration Policy, e.g. screen lock time for Android compliance policy setting overwrites the configuration policy; if they are different values you get error in the report for the setting. Microsoft tried to sell me "we recommend the settings to have the same value" which is nowhere in the documentation. I used same sentences from your post explaining the tech what compliance policy SHOULD do.. shrugging shoulders
*Thread Reply:* Aha, i didn’t know there are some exceptions. Typically I will always set up the compliance policies and configurations with the same values anyway. I hope they saw this as a bug?
*Thread Reply:* I wasn't left with the impression the incorrect behaviour will be escalated in some way. I also reported it to the FastTrack support, hoping a feedback provided to MS
*Thread Reply:* so this part of compliance policy actually enforces password settings ?
*Thread Reply:* Is there an option if the device is marked non compliant to remove managed applications and mail profiles?
*Thread Reply:* No, you can only enforce conditional access (ie block the device from accessing (cloud) services)
*Thread Reply:* @Mark Vonk so the corp iOS mail profile or managed iOS apps can't be removed from the device?
*Thread Reply:* even in a jailbreak scenario?
*Thread Reply:* Ehm no. You can send the user a message
*Thread Reply:* And lock a device (password lock> useful for Kiosk devices)
*Thread Reply:* But nothing more within the compliance policy
*Thread Reply:* You will have to use the compliance status in your Conditional Access rule, or create some script using Graph and perform your own set of actions
Hi, does anyone have to write a json file to manage permission of android enterprise in app configuration policies profiles ?
So I can't deploy a user certificate using PKCS on a AE Work Managed device using Intune? I thought DO/Work managed was GA?
*Thread Reply:* Nope that's sorely missing for us too. I don't even think there's any immediate plans for it :(
*Thread Reply:* We've been trying to set up SCEP but it's been a pain without the PKI knowledge in our team and the AD team not really helping :(
*Thread Reply:* I have NDES setup and delivering certificates to Android DA and iOS/macOS, but struggle to make SCEP profile work on Android DO (COBO)
*Thread Reply:* In the works: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-for-SCEP-certificates-in-Android-Enterprise-dedicated/ba-p/928147#.XbFuJjSzgDk.twitter
*Thread Reply:* No that's SCEP and that's already there now. What's missing is PFX-style certificates. SCEP is much harder to set up. You can do PFX for Work Profile and Legacy devices but not for Device Owner.
@channel Did anyone already try to install an VPP app on a iPad OS device(iPad Pro 11inc for example) via Intune? (i know that pushing an MI app via Intune isnt very "correct" but please forgive me 😂 )
Yes we push the company portal via VPP and it works ok iPad OS 13.1.2
Im trying the User Enrollment and that's the issue. Then iPad OS isn't recognized
It is, but is working. but just not in combination with iPad OS and VPP
I had issue with device based VPP and User Enrollment on iPad OS with AirWatch as well
Documentation is quite lacking currently from all sides involved
Do you know is it possible to register iOS device with Azure without it being managed by Intune ? Similar to what you can do with a win10 device?
*Thread Reply:* Dmitrijs, could this be of any help? https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/walkthrough--workplace-join-with-an-ios-device
*Thread Reply:* I've not tried it, but navigating to our Azure DRS downloads a profile, so guess you can give it a go
How can i delete all Azure AD registered Windows Phones from Azure AD? Can I use Remove-AzureADDevice to filter the OS? We delete the Windows Phones manually via GUI but they keep reappearing! They are not in use anymore.
*Thread Reply:* Get-AzureADDevice -All $true | where {$_.DeviceOSType -eq "WindowsPhone"} | Remove-AzureADDevice
What's a good place to go to get started understanding inTune?
*Thread Reply:* Nowhere. Nobody really understands Intune...
*Thread Reply:* @Sharkey I've been doing this for quite a while and seriously still confuses me. Leave it to MS to create a product that is still in it's infancy stages, but makes the product more confusing. Oh and too add, once you learn how to do something ... a month or 2 later forget it and you'll have to re-learn again b/c they've changed features/settings, etc...
*Thread Reply:* Seriously ... here: https://docs.microsoft.com/en-us/intune/fundamentals/get-support If you have a MS Account Rep you can leverage to help with training I suggest that too. I've done both read here and had trainings on the side. Hope this helps @Sharkey
*Thread Reply:* Best thing to do is try. No real exams or e-learning is available from Microsoft.
*Thread Reply:* Yeah, I'm getting that. I've never really acclimated to anything MS. I did Domino for 15+ years to stay away from MS. Now they are encroaching into my Mobile world lol. Thanks for the starting point.
*Thread Reply:* there are some good tutorials on Linked in training
*Thread Reply:* I'm also very new to the Intune and find the documentation be very good.
*Thread Reply:* You could look at MS-100 and MS-101 training
*Thread Reply:* Going for some training soon, but wanted to read up a bit
*Thread Reply:* They have a 30 day trial. Get it and see if you can break it.
*Thread Reply:* I know you have Airwatch knowledge so use that knowledge on the 30 day trial. It looks different but its the same concept.
*Thread Reply:* https://docs.microsoft.com/en-us/intune/index
*Thread Reply:* You can check if u have access to microsoft demo's, there u can get a demo tenant filled with content for a year
@Shamitha Widanapathirana has joined the channel
@Guy Bachelier has joined the channel
Hi folks, I have deployed an app protection policy for O365 iOS apps (9 apps in total) which enforces PIN for all app types. Console reports that the policy has been successfully applied (checked in). When I open Outlook or OneDrive it prompts for the pin, when I open Word it doesn't.
*Thread Reply:* Word is a managed app and should behave the same. I got the prompt that the app is managed and I had to restart it. But I would not be prompted for a pin.
*Thread Reply:* Not surprised. I’ve seen already such unexpected behaviors with Microsoft apps but it was about root detection. All apps were deleted but not word...
*Thread Reply:* I have seen this and other problems too. sometimes an app asks for the pin after some days or weeks but others work normal on the same device. maybe there is an bug where sometimes the app doesn't apply the policy (complete) on first login and gets stuck for some time.
*Thread Reply:* I believe I have figured it out. For Microsoft Word, PowerPoint, and Excel, the user is prompted for a pin when they access documents that are stored in the company OneDrive for Business location. https://docs.microsoft.com/en-us/intune/fundamentals/end-user-mam-apps-ios#use-apps-with-multi-identity-support
*Thread Reply:* On iOS, one app PIN is shared amongst all apps of the same app publisher. Once a PIN is entered to access an app (app A), and the app leaves the foreground (main input focus) on the device, the PIN timer gets reset for that PIN. Any app (app B) that shares this PIN will NOT prompt the user for PIN entry. https://docs.microsoft.com/en-us/intune/apps/app-protection-policy#intune-app-pin
*Thread Reply:* both is true but i think there are also cases where the PIN sometimes not work when it should.
Hi. Anyone done byod with InTune. Looking at outlook for email possibly but requirements are vague. Any info / links etc to share would be great. Thanks
*Thread Reply:* it depends on your definition of BYOD. Enrolled or Not ? Android or iOS or Win10?
*Thread Reply:* If mobile device is not enrolled you can protect Outlook data using app protection policy. Outlook is an Intune managed app. You can set PIN for when the app is launched for example or prevent users from saving data locally.
*Thread Reply:* @Dimi Thanks. We need to look at iOS and Android only. Also to consider both enrolled and non enrolled as users may not want a management profile in their device. Requirements are vague. Have you implemented byod with InTune personally? Ta
*Thread Reply:* What requirements do you find vague? What requirements are you looking at? MDM enrollment should not be a user choice I believe. Corporate policy and security will dictate if MDM enrollment is required or not, or both.
*Thread Reply:* I second @Mark Vonk . @Jamsy Security should be main driver of the requirements. if you don’t have a security function within your company. Here a good place to start. https://www.ncsc.gov.uk/collection/end-user-device-security
*Thread Reply:* @Jamsy to answer your question. I'm actually implementing a BYOD solution right now and we would not alow not-Enrolled devices.
*Thread Reply:* Following on from this thread. We are in finance so security is important and warrants further talks but Device management is not all that necessary nowadays as you have user enrollment with iOS 13 and / or pull single Mail apps with app protection policies. Aside from that I guess we would: would you enforce BYOd users to install an anti malware app for everyone’s protection?
*Thread Reply:* user enrollments is nowhere near production ready. Unless you are happy to create accounts in a manual way.
*Thread Reply:* Federated authentication has not been released yet to ABM.
*Thread Reply:* There is no such thing as anti malware for iOS and you can't enforce anything on an unmanaged device. It needs to be enrolled.
*Thread Reply:* As mentioned above you can use app protection policies for Intune managed apps and Outlook is one of them.
*Thread Reply:* But saying that MDM is not that necessary these days is an understatement, especially in finance.
We have a customer who applied password settings via Restrictions. It creates an error: -2016332086 (4026:Removal date in the past)
I’m playing with Intune, bind is successful and apps are approved for AE, however I’ve done maybe 73 manual syncs, and also tried to manually add one app at a time through the iframe, nothing seems to be importing the apps. Any ideas? MS support have been poking around but no suggestions I’ve not already tried so far. It’s not actually importing VPP apps either despite MS confirming there are 7 apps associated with the VPP token waiting to import.
*Thread Reply:* Have you created a new location in ABM for this new Intune instance or reusing an location and existing token?
*Thread Reply:* Welcome to the world of Intune and it's Folly's
*Thread Reply:* That's an unusual spelling for bullsh**t 😅
It all self-resolved, after 6 days suddenly everything is there when I looked
*Thread Reply:* Its the alternative spelling! I know right.. I had an Line of business app deployment issue.. left it for the weekend and today its deployed no problem and pushed config. No idea why or what the problem was!!!
*Thread Reply:* Intune is like that. It takes forever for any change to propagate.
*Thread Reply:* I love how blasé the attitude is. Like oh yeah it might take a week to deploy an app it takes seconds to do on any other EMM. Go have a cup of tea and evaluate your life choices.
*Thread Reply:* I know.. I spend my day just saying ... well in "insert decent EMM name" that works like this, or that would deploy in xmins etc! How the hell its a GMQ leader beggars belief!
*Thread Reply:* You get what you pay for... Intune is effectively free, if you are signed up the MS way of doing things. The GMQ for UEM is some folly for sure.
@Nico Hermeling has joined the channel
I’ve been playing with iOS 13 user enrolment. When I first enrol I use my email address, choose user for enrolment and then it pre-populates with my email address without the ability to edit, however the managed apple ID used to login has the appleid domain prefix (jason@appleid.domain.com) since some users have unmanaged apple IDs with their corp addresses and would obvs clash.
How do I make the field editable when inputting what should be the managed apple ID?
*Thread Reply:* UserEnrollment is still in Preview in Intune. Already run into other issues as well.
*Thread Reply:* Yep aware, I just figured it wouldn't fall at the first hurdle for me.
*Thread Reply:* Try deploying VPP apps on iOS 13 with UserEnrollment in Intune. Doesn't work either.
*Thread Reply:* Damnit that’s exactly what I was planning
*Thread Reply:* remember that the VPP apps has to be User-Based (and not device-based). Perhaps this is what is failing as you (I at least) tend to default to device-based licensing
*Thread Reply:* @Peter why do you say that iOS VPP apps have to be user-based and not device-based? Does this apply to Intune as a whole, or just Intune user enrollment?
*Thread Reply:* Just user enrolment
*Thread Reply:* @Peter Mohr same here, prefer "Device based" licensing. Need to check what i tested last week. Did you manage to have it working with "User based" license ?
*Thread Reply:* Yes. Not on Intune though. Only tested on WS1. Same deal
*Thread Reply:* That would make sense though as User profile is a BYOD approach whereas VPP device based was tied to the idea of supervised corp devices. At least thats how i think of it
*Thread Reply:* In any case, can't get any of it working unless Intune allows the customisation of the Apple ID field 🤦♂️
*Thread Reply:* In WS1 you need the appleID (MAID) to match an e-mail of any enrollment user (basic or directory).. Could you create a user in Intune with your MAID as UPN ?
*Thread Reply:* That is the problem. All managed apple IDs are appleid.domain because folks already have unmanaged IDs against the company domain. Users are linked to Azure by default and I haven't considered the implications of creating no AAD accounts, if possible, in intune. If it's possible that'll be the way assuming no knock-on with office apps
Hi all. If I have an app that is not Intune managed app and available in the App Store, can I implement any controls over it on a managed device? I need a way to protect corporate data in this app (stop users from copying data to personal apps). Restricting installing personal apps is not an option, wrapping the app or integrating SDK is not possible as we don't have access to .ipa or app source code.
*Thread Reply:* Isnt "Viewing corporate documents in unmanaged apps" the setting you need?
*Thread Reply:* When you mean copying data do you mean moving files or copy / paste?
*Thread Reply:* @Marc van der Kooy that feature is enabled , is there anything else can be done to have a level of control similar to app protection policy.
*Thread Reply:* @Kiran Patel copy paste text and taking screenshots, stuff like that
*Thread Reply:* I think you’d need Intune SDK support then
*Thread Reply:* Yes, you'd need either intune SDK support, or look at a simlar controls from the app manufacturer. If they offer managed app config settings you can have intune push alongside the app, that may help
*Thread Reply:* Alternatively you can take a look at our solution www.scalefusion.com that allows you to take care of all these aspects with a few options checkboxes. Will be happy to showcase it to you
*Thread Reply:* @RamananScalefusion would love to see how you can tackle this issue. Got time for a call ?
Intune Cert Based Auth (PFX) for Exchange with the Outlook app or iOS Native Mail - is this supported or do I need SCEP for that?
Scep is recommended , othrrwise u need a profile per user.
*Thread Reply:* U need to tweak the pkcs template to allow private key export. Since the connector export the certificate in the background. This create a security risk as the key is exportable by the user. Which isnt the case with scep i believe. Or so i was told :)
Hi. Do you know if there is a way to control notifications. i.e. disable notifications preview (sensitive content). Looks like it is a feature request. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/34249816-hide-sensitive-content-in-notification-on-the-lock
You can configure notification settings per app (supervised only) https://docs.microsoft.com/en-us/intune/configuration/ios-device-features-settings#app-notifications But afaik you cannot control the preview by MDM
*Thread Reply:* I tested that one, and it only allows me to disable it completely.
*Thread Reply:* doesn't look like there is a way to show the notification but hide the notification content.
*Thread Reply:* @Dimi Thanks for the post. I have an open ticket with MS on this. I'm wanting to do the same thing.
*Thread Reply:* @Ray Domingue I would love to hear their response.
*Thread Reply:* @Ray Domingue have you heard anything back from MS?
Hi All. If I review app protection policy I'm presented with list of options and associated values set for this profile. One of them is "Org data notifications - Allow" when I click "Edit" this option is not available. And I cant find it mentioned in the documentation either. Can someone confirm if they see the same.
*Thread Reply:* Yes default to Allow for me too. Never noticed it before.
*Thread Reply:* Whats is really weird is that this option is referenced in the App Configuration Policy. However no documentation exist.
*Thread Reply:* https://github.com/MicrosoftDocs/OfficeDocs-Exchange/issues/1472
Has anyone got the automatic autopilot conversion working with Intune for Win10? I’m reasonably sure I’ve got everything in place and setup as MS docs suggest, including portal branding, but despite going through user driven setup and having the VM enrolled successfully, it’s not converting. Any idea what I’m doing wrong here? Windows is 1903 October cumulative. Business edition, licensed via M365
*Thread Reply:* Did you add the hardware hashes?
*Thread Reply:* No, the point of this is that I’m not supposed to need to as Intune should be able to extract them on enrolment
*Thread Reply:* How long did you wait? Could take up to 48 hours? Is the ownership of the devices set to Corporate? If set to Personal they won’t be converted
*Thread Reply:* Corp, overnight is longest I've waited so far, though I've done multiple resets and re-enrolments on current and another profile over the last few days
*Thread Reply:* @Robin Hobo's guide suggested minutes of waiting 😅
*Thread Reply:* 48 hours is the is the official text from MS. Devices are member of the IntuneTest group? What the hell are you working with Intune and iOS, macOS and Windows 10 devices all the time? Ain’t got no time for that?
*Thread Reply:* Intunetest is static, just one user assigned (me) with my single windows VM.
> what the hell
I've recently taken over management of the IT dept and standards aren't at the level I'm used to seeing them. The dept is small so I'm helping out for a bit.
*Thread Reply:* Is your vm already intune managed?
*Thread Reply:* Try it with that includes devices, not users with devices.
*Thread Reply:* Yup that was it, targeting devices worked and took about 10 mins 🙂
@RamananScalefusion has joined the channel
You may need to change the name of this channel... https://www.youtube.com/watch?v=GS7oNPInFuw&feature=youtu.be
*Thread Reply:* More info here... https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Modern-management-and-security-principles-driving-our-Microsoft/ba-p/946797
Hm nice... I like the name as it's more descriptive. Someone who hears Intune for the first time will have no idea what it's about. Now they will. Only drawback it is a lot longer....
It was much more difficult when AirWatch rebranded to Workspace ONE (and its agent to "Intelligent Hub") as it was much less clear what it actually did 🙂
I’m waiting for the announcement that Workspace ONE will nonw be known as “VMware Endpoint Manager PLUS” or something.
*Thread Reply:* Anything is better than AirWatch 😄
other interesting announcements were that anyone with configmanager CALS now auto gets MEM (Intune) CAL's. probably will increase pressure to adopt MEM as the primary UEM option over existing 3rd party solutions like WS1, MobileIron, etc.
*Thread Reply:* Are you saying that they no longer need some explicit license level like E1/E3/E5? Forgive me, never got heavy into SCCM so not sure how CALs work there
*Thread Reply:* Not sure on the mechanics of it yet but the announcement was covered in this article
*Thread Reply:* As far as the device management experience goes, the new Endpoint Manager and the licensing changes that come with that are meant to not just simplify the branding but also the experience. And Microsoft definitely wants people to move to this modern system, so it’s giving everybody who has ConfigMgr licenses Intune licenses, too, so that they can co-manage their PCs with both tools and get access to the cloud-based features of Intune.
*Thread Reply:* https://techcrunch.com/2019/11/04/microsoft-launched-endpoint-manager-to-modernize-device-management/
*Thread Reply:* looks like you attach an Intune tenant to your SCCM and off you go. What this means in practice with MS licensing is not clear though. Will have a chat with my MS licensing guru and find out
Hi All, has anyone experienced significant delays with Fully Managed receiving policy or apps in Microsoft Endpoint Manager recently? This seems to be when deployed to an AAD Dynamic Device Group. We are testing with Assigned Device groups too, this issue does not seem to be affecting deployments within the user context
*Thread Reply:* There is a lag sometimes up to an hour for dynamic groups.
*Thread Reply:* Hi there, yes appreciate that but some of these devices are taking 4, 6, 8 hours and some arent even evaluating at all. Seeing this with multiple customers
*Thread Reply:* https://feedback.azure.com/forums/169401-azure-active-directory/suggestions/33481477-ability-to-trigger-a-dynamic-group-update
*Thread Reply:* Thanks
The thing is though, there appears to be no issue with the membership evaluation as the devices are being evaluated in groups in a timely manner...
*Thread Reply:* haven't seen that one, only the evaluation bit.
*Thread Reply:* >There is a lag sometimes up to an hour for dynamic groups.
After about 6 minutes of not seeing my dynamic groups update with devices that were CLEARLY targeted I switched them back to static and mumbled expletives about Microsoft 😛
*Thread Reply:* So would I have issues when I use Dynamic User groups for deploying my resources? I have created a dynamic user group for all users which have a Intune license! Bad idea?
intune BYOD question, if a device ownership was set to Corporate-Owned then changed to Personal (set by accident) will this then delete the collection of data it has collected previously (for example App data?
@Jani Kostiainen has joined the channel
I'm trying to figure out the way to deploy Application Configuration Policy ONLY to a pure BYOD (Unmanaged) device. It doesn't look like it can be done. The only way to apply it to BYOD (Unmanaged) is to deploy to a User group and because of that all devices (Supervised and Unsupervised) that belong to this user will get the policy.
*Thread Reply:* In case you wonder, someone just confirmed that there is no way to do this. The only way to apply App Policy to Unmanaged device is through the User Group.
*Thread Reply:* Is there a reason you wouldn't use the same app policy for the corporate devices as well? Just curious.
*Thread Reply:* This behaviour makes sense to me @Dimi. But like Andrew mention, I keen to understand your use case, as to why the MAM policy should be different on Corp vs BYOD.
*Thread Reply:* I'm migrating devices from BB UEM to MS Intune. One stream of this also to migrate Users from BB Work (email client) to Outlook. In BB Work it is possible to control level of details in Notifications (show only Name of the sender and no message details) . Intune doesn't have same level of controls.
*Thread Reply:* I managed to find 2 controls in Intune that apply to Notifications. App Configuration Policy and Device Feature Profile
*Thread Reply:* in this estate I have 3 device flavors. Supervised, Unsupervised, and Unmanaged.
*Thread Reply:* The Device Feature Profile provides best user experience, however can only be applied to Supervised devices.
*Thread Reply:* To cover Unsupervised and Unmanaged device I need to apply Application Configuration Policy. The only way to apply this policy is via the User Group meaning it will apply to all device flavors. Including Supervised.
*Thread Reply:* I would love to be able to apply the app policy to Unmanaged and Unsupervised devices and keep the Supervides device unaffected as I'm able to provide better experience with the Device Feature Policy.
@Wannes De Boodt has joined the channel
@here Does anybody know of plans from Microsoft to support Google IDs in the Android Enterprise Work Profile? Currently this is not possible, but some other MDMs have it. Could not find any reference to this feature request. Maybe someone here knows about it? Thanks!
*Thread Reply:* I know nothing about roadmap, but supporting GOogle identity doesn't seem in line with microsoft's goals of driving Azure consumption.
*Thread Reply:* I recently did some intune training and android support is just plain crap IMO. The trainer didn’t know much at all. I think they could support custom XML. You’d probably have to go that route.
*Thread Reply:* Yes. there is an option to do that. But I have no idea what XML to push. Was just googling for that 😉
*Thread Reply:* If you find a good resource let me know. Love to keep that in my back pocket. Holiday here otherwise I’d start scouring the net myself as well.
*Thread Reply:* Seeing Intune uses AMAPI, I found these AMAPI policies refernce: https://developers.google.com/android/management/reference/rest/v1/enterprises.policies But I can't find any for Google IDs specifically yet.
*Thread Reply:* It does not seem possible. Intune docs state that only a limited set of settings are available to use with custom profiles. It does not explain which ones though... I am actually thinking this option, allow Google IDs, is not (yet?) available in AMAPI...
*Thread Reply:* Just out of curiosity - why would you need a Google Account within the Work Profile? Whats the use case here?
*Thread Reply:* If you're a G-suite shop, you can have the user sign into the work profile with their work account, and all of the work data syncs auto-magically.
*Thread Reply:* Ah that is cool - didn’t know that one. 🙏
@Miguel Vázquez has joined the channel
@Petr Filippov has joined the channel
"Android device management with Microsoft Intune" session's video at Microsoft Ignite'2019: https://myignite.techcommunity.microsoft.com/sessions/81686?source=sessions
*Thread Reply:* https://docs.microsoft.com/en-us/intune/apps/app-protection-policy-settings-ios#functionality
*Thread Reply:* I think it allow to open links in specific (unmanaged) browser , but I can figure out how to make open links in BB Access for example.
*Thread Reply:* if you leave blank, then the device will open any URLs with the default browser (Safari for iOS), however if you set it to a value, the URL will open in the specified browser. For WS1 Web for example, you would use awb:// or awbs://
*Thread Reply:* remember: managed browser will be end of life next year, see https://twitter.com/teroalhonen/status/1192831516021272577/photo/1. You can use edge instead and set the app via app config as "the" protected browser for intune managed apps: https://docs.microsoft.com/en-us/intune/apps/app-configuration-managed-browser#how-to-set-microsoft-edge-as-the-protected-browser-for-your-organization
*Thread Reply:* see also: https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Use-Microsoft-Edge-for-your-Protected-Intune-Browser-Experience/ba-p/1004269
*Thread Reply:* I managed to make the Outlook to open links in BlackBerry Access browser the prefix to use is "
*Thread Reply:* https://devicemanagement.microsoft.com
is anyone using here 3rd party event log analysis tools for iOS device? If such thing exists.
*Thread Reply:* What are you trying to achieve? Remote logging is very hard due to restrictions in iOS. Tethered logging is by default available. For forensics, you will need stuff from mostly Israeli's, like Cellebrite.
*Thread Reply:* I was wondering if I can get anything on top of what Intune reporting provides.
*Thread Reply:* Battery life, signal strength, anything tbh...
*Thread Reply:* like a 3rd party client that would collect this data and send to big data platform from which I would be able to do fancy dashboards.
*Thread Reply:* Intune does not collect much indeed, other MDMs do collect more. Maybe use Uservoice to specific your feature request. Maybe some MTP/MTD apps collect more info, like LookOut.
Anyone here do testing with intune to see if it's native jailbreak detection identified checkra1n?
Does anyone know any way to push an MDM profile through Intune that marks Skype packets with a certain DSCP QoS type? I don't think so (I looked through the documentation) but if anyone found anything like this please let me know!
*Thread Reply:* move to port based tagging would be my answer haha
*Thread Reply:* But yeah I suggested MAC based tagging to them... Issue is though that the devices in question are rugged Samsung devices and as such very hard to discern from consumer Samsung devices just by MAC address
*Thread Reply:* Deploy a different SSID for those devices might be easier, assuming those devices are on Wifi? Or implement a solution like Wandera for cellular devices.
*Thread Reply:* Yeah we already have a ton of SSIDs. Not going to fly unfortunately. If we could do that I'd have other wishes too like an enrollment/onboarding network 😄. I just wanted to double-check. According to the Skype team they've deployed this through GPOs on Windows and they don't believe what we can't do it on Android.
*Thread Reply:* for iOS this is done for the wifi profile
*Thread Reply:* Ah I should have mentioned: it's for Android. They want to buy rugged devices so Apple isn't an option. Didn't know you could do that though! But I didn't look there because the only devices they have in mind are Android.
*Thread Reply:* Rugged 👀 which devices?
*Thread Reply:* At the moment they're looking at RugGear RG725 or Samsung Xcover 4s devices. Both are pretty poor by the way, especially the Samsung is the bare minimum of what I'd consider "Rugged". But they didn't have much budget to play with. The RugGear looks/feels a bit better though it still doesn't look feel it would stand up to real abuse.
By the way I'm comparing these to HAM and professional radios which I know of, which usually come with things like die-cast metal casings, super thick display glass etc. The RugGear still feels very plastic. And the Samsung feels less solid than any normal phone in a LifeProof case. Probably just OK for factory use if you keep it in a pocket but I wouldn't clip it to a belt with the screen exposed to banging into doorframes etc.
*Thread Reply:* were a telecoms supplier in the UK (not sure where you are based) but for real rugged phones we use https://hammerphones.com/ or the CAT range. The hammer phones are quite a good price point for what you get
*Thread Reply:* Thanks! I'm not involved in the choice of device - this is run by our office telephony team. But I'll tell them. I do think they didn't choose CAT because of price. I'm in Barcelona by the way but this is a global project.
Yes we have this working with Global Protect on iOS. Not Android, I believe that's not supported yet (another colleague is the lead on this)
*Thread Reply:* Great, I’m looking to do this on iOS. Can you describe at high level what needs to be configured/enabled on the Palo Alto side?
*Thread Reply:* Hmm no not myself. I'm out of the office this week but I can check with the colleague who set it up when I'm back. He didn't manage the GP side though so I'm not sure how well aware he is of that.
*Thread Reply:* @Tycho If you can get me any information that would be great. Thanks
*Thread Reply:* Unfortunately we don't. The VPN guys are a closed bunch 🙂 They managed this themselves without our input.
*Thread Reply:* @Tycho can you find out what type of certificate was used for the authentication? SCEP or PKCS ?
*Thread Reply:* Definitely PKCS because we don't have SCEP working yet in production
I have a scenario when registering an Android device to Android Enterprise Fully Managed. When adding secondary gmail account > open Play Store > switch to my private gmail account > download an app that is not in Intune > apps gets installed > after 10-15 minutes the app gets uninstalled. Do I really need to whitelist EVERY app in Intune so that apps doesn't get uninstalled when users installs private apps in this AE mode?
*Thread Reply:* The Android management API has both a whitelist and a blacklist option for apps. Whitelist is default. If Intune offers this then yes you can permit personal apps being installed alongside corporate apps.
As an aside if you allow this you lose most dlp control vs utilising separate profiles, and run the risk of data leakage.
*Thread Reply:* Thanks for reply! Alright, where is this setting in Intune?
*Thread Reply:* @Yth You have to “Allow access to all apps in Google Play store” in the Android Enterprise Device Owner Restriction. It’s under “Applications”.
*Thread Reply:* Thanks Nico, it worked when I changed to Allow!
If app protection policy is set to passcode with length of 8 and you relax it to numeric with length of 6. Will user be asked to change the pin ?
*Thread Reply:* I do not think so. The user can change it to 6 digits though.
*Thread Reply:* It takes ages to apply , but it does prompts user to change to 6 pin. I remember speaking with someone about the same use case for the device pin and apparently it does not prompt for a more relaxed change. Looks like app protection behave differently.
*Thread Reply:* Need to test the device policy just to check.
@channel What's the " <autoSwitch>false</autoSwitch>" in the Custom OMA-URL XML for Wifi? Does it switch to the pushed wifi network when it's connected to a different wifi network?
It appears to be a switch for Windows. Found this in the Windows 10 CSP for Wi-Fi: https://docs.microsoft.com/en-us/windows/win32/nativewifi/wlan-profileschema-autoswitch-wlanprofile-element
Referenced from here: https://docs.microsoft.com/en-us/windows/client-management/mdm/wifi-csp
If you are using it for Android (adding a WiFi with a preshared key?), I do not think this element will do anything for that.
using the OMA URL custom for adding Wifi settings Android BYOD device with Android Enterprise Work Profile. You cant push Wifi settings any other way to BYOD devices via Intune afaik.
*Thread Reply:* Correct. A Microsoft engineer told me once that this was due to security concerns...
@Daniel Creasey has joined the channel
@Thiemo Scherle has joined the channel
Do you guys know if per WIFI proxy is possible on Android Enterprise using custom profile?
*Thread Reply:* I have never seen any example of that... But OMA-URI is seriously under-documented though, so who knows... 😞
*Thread Reply:* Yeah, could not find anything myself only Windows 10 examples are available.
Does an "App configuration policy" triggers "App Protection policies"? Setup an Outlook AppConfig for customer and they receive a pop-up on not-enrolled devices: "The Intune Company Portal is required for the account xx."
*Thread Reply:* Android: yes as soon as you push a policy or configuration, the company portal is required. Just the app needs to be installed, device does not need to be registered.
Which cloud apps needs to be excluded from conditional access for enrollment into intune? There is a block for all client apps active in conditional access
*Thread Reply:* afaik it depends on your block policies and setup. Try a combination of intune enrollment, Intune and azure AD
@channel does anyone know how to solve this? Android 9 device enrolled as BYOD. Issue is pinpointed to "user account". It works if the device is reset and registered with a different user. If user tries another device, same error. Even if the device was previously registered by a different user.
*Thread Reply:* I cant read the error message but if its only one user and it doesn't matter which device, I would check if the user has all variables set that are needed and if the user has the right licenses and Configs
*Thread Reply:* Looks like it, but what setting can block this? User has enough enrollments left. We tried 4 different devices(same A50's) and the 4th one worked. Other 3 are enrolled for different users. really weird stuff.
@Jakub Jaroszewski has joined the channel
Who is using Bitlocker via Intune? Any special requirements for Win10 except TPM being enabled in BIOS? Are you assigning the config to a device group targeting Win10 or to the users? I know using device groups takes a tremendous amount of time reaching the device.
TPM is not needed, but more secure of course. In case there is no TPM, a boot password is needed. Make sure to back up the recovery key to azure ad.
*Thread Reply:* Is there no way to pre-configure the settings the user has to check within the prompts on the device? Like third party software installed and what to do with the recovery key?
*Thread Reply:* Also: must the logged on user be an local admin on the machine? Would you recommend a startup pin?
*Thread Reply:* Admin permissions are not necessary. All done via GPO/Policies
*Thread Reply:* Standard users can enable BitLocker since 1809. For TPM equipped devices a boot password seems redundant. Also check for more recommendations:
https://docs.microsoft.com/en-us/intune/protect/troubleshoot-bitlocker-policies
*Thread Reply:* Weird I have a tpm but still need a boot pin. Will check with my Windows colleagues
*Thread Reply:* It is a setting to require a boot password, even with TPM.
*Thread Reply:* Startup pin is the official term btw. You can allow it, or require it, even with TPM. Without TPM it is required. I do not see a reason to require it with TPM.
Has anyone tested this? Looks like you can enable Google Play Store on COBO devices.
*Thread Reply:* Yes. That’s by design from google
*Thread Reply:* Up to the EMM to allow it. WS1 doesn’t enable that setting.
*Thread Reply:* That is what I thought. I haven’t found this on MobileIron Core either. Any good reason for WS1 not to leverage this?
*Thread Reply:* They don’t see then use case as valid
*Thread Reply:* I want it myself but they didn’t care
*Thread Reply:* They just figure you should use COPE
*Thread Reply:* We've tried. We do not recommend it though. Does make things complicated for users
*Thread Reply:* COPE should be the way to go. but Intune doesn't have it yet
*Thread Reply:* On MobileIron Core when you enable Allow users to add accounts in the lockdown policy the user can add his personal Google account and install any app on the COBO device.
*Thread Reply:* @Almar Diehl the above method doesn’t require sign in via a google ID. When you allow adding an ID, you end up with several IDs in the play store on on device. It’s very confusing. Then people still need to manage IDs again.
*Thread Reply:* Mixing work and personal apps within a managed profile is a recipe for data leakage
*Thread Reply:* But not everyone cares about that in the end. I can lock down the apps I’m concerned about other ways.
Bitlocker question - any value to hosting recovery keys in InTune versus within AD?
*Thread Reply:* I think it is actually stored in AAD, not Intune itself. It is pretty easy for users. When they do not have the recovery key, they get a link to get the recovery key from AAD for their device (after the user is authenticated of course)
*Thread Reply:* That is the Pro I have noticed. Is more a self service thing though, you might not want to expose depending on your policies.
*Thread Reply:* Be mindful of the device cleanup rules as this also delete the bitlocker recovery key
@Chris Avedissian has joined the channel
Why is the "All Devices" option removed in the Device Compliancy Assignment option? Can only assign a "Device" Compliancy policy to "All Users" or "User groups". When i assign it to a Device group, the status stays on "Not Evaluated".
*Thread Reply:* I had a training class with Microsoft last week on this. Bottom line they said the best practice to do with Intune is to use User based AD groups. Does not work well with Device Groups, etc... Not sure if that helps answer your question at all or not.
*Thread Reply:* Doing an implementation of Intune for a customer atm. Customer has different device models. We want to deploy the Device Compliancy Policy model-based and not user based. Customer has around 100 old TAB S2's with Android 7(cannot be updated). So 1 policy for the TAB S2's and 1 for all other devices(min Android version = 8 )
*Thread Reply:* @Ray Domingue do you deploy your android restrictions policy to a user group or device group or both?
How can we push out managed bookmarks to Chrome in Intune?
Android can be achieved via managed app config parameters. Not possible on iOS currently.
When using Intune on mobile devices, what is the recommended setup to achieve SSO for Office365 apps on the devices? Let's say that you have an hybrid setup (AD + AAD) and when you change your password in the AD the O365-apps on the device should auto-update the password
*Thread Reply:* How is your tenant configured for auth?
*Thread Reply:* We've been told and have tested using MS Authenticator with Device Sign In as the SSO broker app for iOS devices. When changing the pw it revokes the token though and the user is prompted for their AD pw again.
Is it possible to use MFA with the iOS mail client?
*Thread Reply:* But only if you enable OAuth in the Intune email profile, right?
*Thread Reply:* Modern Auth needs to be enabled on the Exchange On-Premise or Exchange Online as well for that to work, right?
*Thread Reply:* Yes for both. So for on-premise, you would need Hybrid Exchange. Exchange Online already has modern auth. enabled
*Thread Reply:* Yes, enable Oauth in the email profile. But, there is a major issue with this feature and iOS 13 right now. When you switch over to authenticator som the mail app "webview", the authentication will fail. Apple is working on it. This can also be seen on other apps. If you use authenticator on another device it works.
*Thread Reply:* Thanks for the hint @Anton I 🙏
*Thread Reply:* @Anton I do you know if there are still issues? We have Exchange 2013 configured with iOS native mail. Now we activate MFA which seems to break the current configuration because OAuth is not enabled. So we need to deploy the Authenticator app and enable Oauth in the mail config, right? Will we also need ADFS for that to work?
*Thread Reply:* Apple has not yet confirmed a fix. However, in the latest iOS 13.3.1, we have been unable to replicate the issue so far (no major testing though). Yes, I believe that you're right. I'm not really sure what you mean though, where have you enabled MFA if you don't have ADFS or similar?
*Thread Reply:* @Anton I Azure MFA, not on an ADFS. We don’t have ADFS
*Thread Reply:* So you have Exchange 2013 and use Azure AD as the IDP? But you're not using Exchange Online?
*Thread Reply:* We are in the process of moving to Exchange Online. Most of our mailboxes are still on Premise. Currently we have only AAD Connect with Password Sync enabled. I guess it would be better to wait until the migration to Exchange Online is finished and than activate MFA.
*Thread Reply:* Yes I think that setting up a new authentication method on Azure without involvement of MS EX 2013 would be better. Remember that you can use Azure Certificate Based Authentication for Active Sync (Native iOS client) if you want. Zero touch user experience!
*Thread Reply:* But would we still need ADFS for OAuth to work?
*Thread Reply:* But what is that supposed to mean?
*Thread Reply:* https://docs.microsoft.com/de-at/mem/intune/configuration/email-settings-ios
*Thread Reply:* • When OAuth is enabled, end users have a different "Modern Authentication" email sign-in experience that supports multi-factor authentication (MFA). 😄
*Thread Reply:* Jesus.. :facepalm::skintone_2:🤣
Hi Folks. Has anyone tested new "Org data Notifications" setting in App protection Policy? In conjunctions with latest iOS Outlook client,
I know this has worked before - searching for business contacts from the personal profile (like contacts or dialer). We use Outlook with Intune, contact sync is enabled within Outlook, but I cannot find work contacts from the personal profile. Was there a change I am not aware of?
FYI. Did you know that you can check what MAM policies have been applied to the iOS device by opening Edge browser and typing about:intunehelp
*Thread Reply:* Yup, if you need a managed browser that's pretty much your only option. It's actually pretty good.
@ChrisB [MSFT] has joined the channel
I would like to know how many iOS devices (iPhones and iPads) I have in each geographic location i.e. UK, Germany, Hong Kong, etc. I was thinking to create some sort of dynamic group based on the device categories (different courty will have their own category). Is there a better way to do it ?
Yes - you can run reports through PowerBI connected to the Intune Datawarehouse. One of our colleagues has built an excellent report that can show all this as well.
I'm not 100% how he did it but the PowerBI integration is really powerful
and you also need a good powerful machine to setup the Intune Datawarehouse because it uses a lot of memory and also occupies a lot of space, even power BI in this case requires a good memory machine…
Intune Datawarehouse is stored in the cloud as far as I’m aware. I will be only manipulating the data it provides .
Hi all, i've a question about Android COBO enrollment in Intune with Teamviewer. When the customer uses Teamviewer to view the mobile device it works, but when the user switches screens(other app or home screen) the screen of the admin goes black. Does anyone have a clue how to fix this?
*Thread Reply:* Do you have screenshot disabled?
*Thread Reply:* Not that im aware of
*Thread Reply:* Screen Capture = not configured Default permission policy = auto grant
*Thread Reply:* hmm, are you using the microsoft launcher, or app protection policies blocking it? That’s the only time really I’ve noticed this happens - when screenshots are disabled somehow
*Thread Reply:* KME pushes intune_kme client to the device. App Protection Policy: Screen capture and Google Assistant - Enable
*Thread Reply:* Well, i found another App Protection Policy with: Screen capture and Google Assistant - Disable Need to find out to what device group it's pushed to
*Thread Reply:* Deleted all App Protection Policies, synced device = no result
*Thread Reply:* When customer installes Teamviewer QuickSupport outside the container, device can be controlled untill an app from the work container is opened.
*Thread Reply:* COBO and BYOD have same problem.
*Thread Reply:* Do you have any Samsung specific restrictions pushed? Knox Service Plugin or anything?
*Thread Reply:* Not that im aware of.
*Thread Reply:* Seems this is TS issue after last update of the app from their side. They are working on a fix.
*Thread Reply:* Oh good. I was running out of ideas ahead of asking for logs..
*Thread Reply:* @JeroenK What do you mean by TS? Teamviewer?
*Thread Reply:* Yes indeed. Sorry for the confusion.
*Thread Reply:* Ok, so issue is on Teamviewer's side. Would love a source for this. Do you have it?
*Thread Reply:* https://community.teamviewer.com/t5/Mobile/Samsung-Knox-and-TeamViewer/td-p/78956
Hi Everyone! Does anyone knows why in the documentation of microsoft in one place it says that you can assign an app to a device not enrolled in Intune and somewhere else that you cannot? is it possible or not? ( https://docs.microsoft.com/en-us/intune/apps/apps-deploy) Thank you in advance
*Thread Reply:* I belive you can assign the app to a User group and then user can choose to install it from a web based company portal app. https://portal.manage.microsoft.com/
*Thread Reply:* Hi Dmitrijs, thank you for your answer. Yes, I am aware of that, but my doubt is that it says specifically to a "device".
*Thread Reply:* You can not assign the app to unmanaged device directly. Since there is no device object in Azure.
*Thread Reply:* To be able to push apps to a device it must be enrolled and managed by Intune.
*Thread Reply:* Thank you Dmitrijs, that's what I thought but I wasn't sure. So looks like an error in the documentation.
Has anyone tinkered with Graph-API + Intune? Seems like a very powerful stuff.
Extracted device restriction policy and created a new one using REST API. Intune as code. Amazeballs.
Oh yes I have many automation scripts running. I don't talk directly to the REST API though, I prefer using the powershell cmdlets that Microsoft has made available last year. It's really great, and works better than Workspace ONE API because we always ran into their API call limits there.
*Thread Reply:* What do you use it for on a regular basis ?
*Thread Reply:* Many many things 🙂 From the top of my head: • Marking devices as "Corporate" when they have chosen the relevant category during enrolment • Checking which devices have recently enrolled and then remove them from WS1 if they're still there (which causes confusing compliance emails) • Enterprise wiping devices when the associated AD account is disabled • Cleaning up "Retire pending" devices that have been in this state too long Hmm I know there's 3 or 4 more scripts running on there but I don't recall right now as I've built most of them more than 6 months ago :)
*Thread Reply:* But mainly maintenance tasks.. I didn't automate the creation of policies etc, there wasn't really any need as it's not an ongoing thing
*Thread Reply:* There's a lot of examples here: https://github.com/microsoftgraph/powershell-intune-samples
*Thread Reply:* I’m doing consultancy work so spinning up thing in test and then migrating to prod is happening all the time. I will definitely use it in a next project.
*Thread Reply:* Actually that link I just sent still uses the raw REST calls - it's not the one I meant. 1 sec and I'll find the right one
*Thread Reply:* This is the one: https://github.com/Microsoft/Intune-PowerShell-SDK/blob/master/README.md
*Thread Reply:* That SDK is really great for quick automation and it handles all the authentication and REST calls in the background, and you don't have to worry about converting JSON etc. It just returns objects.
*Thread Reply:* lovely, now I need to find some free time to learn it all.
*Thread Reply:* Yeah that's another thing, with this module you don't have to get the admin consent for every script
*Thread Reply:* somehow got it working on a non Global Admin account, but if someone asks me what I did I wont be abel to answer that question 🙂
*Thread Reply:* I was just about to go to sleep , it looks like it is going to be a late one today 🙂 thanks for the link.
*Thread Reply:* Good night and let me know if you need any example code 🙂
I’m looking to change the Device Name Template in the iOS Enrolment Profile from {{DEVICETYPE}}-{{SERIAL}} to include username as well, however can’t find a list of available variables anywhere. is it limited to {{DEVICETYPE}}-{{SERIAL}} only ?
*Thread Reply:* @Dimi I have the same issue. None that I'm aware of. We left it as this to distinguish it from those managed vs non-managed devices. If anyone has anything else to add let me know!
@Julian Brennan has joined the channel
Do we need an Teamviewer license to use the remote control for Mobile devices or is this included with Intune?
*Thread Reply:* @MichaelM21 we are using TEAMS and it's working well. Prevents us from using TeamViewer license as we're already utilizing Teams.
*Thread Reply:* Microsoft Teams? For Remote Assistance for iOS and Android?
*Thread Reply:* @MichaelM21 Yes, that's correct. You do have to enable screenshots on the policies for this to work though.
*Thread Reply:* Additional teamviewer licenses are required, however they are the regular concurrent session license
I think you need a separate license…
Hi all--I am relatively new to both Intune and Android Enterprise and I’m running into a problem while trying to setup test devices. I’m trying to enroll a Galaxy Note9 as a COBO device in Intune. I get prompted to set a PIN/screen lock as expected, and then install work apps as expected (which currently are Intune Portal and MS Authenticator). I then try to register my device and see my company info and am even prompted for user name and password, but it won’t go past that. I do show the device in my Devices list in Intune, and it’s marked compliant. I just don’t know what I am missing that won’t let it complete the registration. Anyone have any suggestions? EDIT: Adding the solution in case anyone else runs into this (or more realistically when I forget and go searching and find my own question in a year): had to get my Azure AD admin to exclude the Microsoft Intune Enrollment cloud app from our conditional access policy and then it immediately let me sign in.
New channel name
Does MEM just default to ABM devices being ‘Corporate’ and manual enrollment being ‘Personal’? Is there some way to change it so that the end user can choose whether its a corporate or personal device when enrolling?
*Thread Reply:* It does. You can use categories for more granular control. https://docs.microsoft.com/en-us/intune/enrollment/device-group-mapping
*Thread Reply:* you can add corporate identifiers (https://docs.microsoft.com/en-us/intune/enrollment/corporate-identifiers-add). But there's no choice for the user, it assign the ownership status automatically on enrollment.
*Thread Reply:* Well, you can script it so that you can give the user a category choice and then change the ownership model. This is what we do.
*Thread Reply:* Personal ownership is the default, unless the device is pre-identified as corporate. But when we user chooses corporate in the category request box, we have a script that switches them to corporate in 5 mins
*Thread Reply:* @John Luth if you like I can share the script with you. It's powershell.
*Thread Reply:* @Tycho That would be great. Thanks in advance!
*Thread Reply:* @Tycho Share or link would be great here too
@Stefan Feicke has joined the channel
Hi Folks. Has anyone had experience with Android enrolments on the internal network with SSL inspection turned on? We are having issue with enrolling Android based devices (Teams Phone) on the network where SSL inspection is turned on. Was thinking to exclude Intune endpoints from the inspection, but the list is huge.
Yeah you'll need to exclude it or whitelist the root CA on each phone, there's no alternative. We have most of microsoft.com excluded I believe, and we only enrol through our guest wifi anyway (there's no way to get on our corporate net without being enrolled first)
*Thread Reply:* Whitelist root CA? Deploying root CA to the device ?
*Thread Reply:* "trust" would be a better term than whitelist
*Thread Reply:* Having the connection to the MDM encrypted by an untrusted root will definitely break enrolment
*Thread Reply:* Which is understandable but indeed a pain also because the easiest way to deploy the root CA is through the MDM
*Thread Reply:* So I would recommend not using your regular network with SSL inspection for enrolment
*Thread Reply:* We've long been talking about setting up a separate enrolment network that can only access the intune servers and stuff from Apple/Google and absolutely nothing else. But it never materialised because the network guys don't want to add another SSID
*Thread Reply:* Right now our onboarding for devices without 4G is pretty crap to be honest because we don't have this
Hi all, I’m trying to enroll a Zebra MC330k with Android 8.1 to Intune. Without Google Play Store, I have to sideload the Company Portal app. Has anybody successfully sideloaded the Company Portal using StageNow? I’m getting “unable to reach FTP server”.
*Thread Reply:* The MC3300 has a GMS version of the OS that you can load on the device. I have to imagine it is going to be easier for you to manage them under AEDO with GMS than AOSP
Hi all, is anybody doing retiring of with LOB apps in Intune, like in SCCM? Is there a way to achive this?
Anyone still using the Managed AppConfig with Intune Company Portal (iOS) when enrolling users at the User Enrolment screen? I'm having issues with config registering the Company Portal to the registered user. The config installs but users are still required to sign into the Company Portal making sign-in via Company Portal obsolete.
*Thread Reply:* This is the document / KB Article at hand: https://docs.microsoft.com/en-us/intune/apps/app-configuration-policies-use-ios#configure-the-company-portal-app-to-support-ios-dep-devices
*Thread Reply:* Update: Ditched this and going with Company Portal sign-in. Microsoft's support for Auth @ Set-up Assistant is close to none (Also AAD Sign-ins report Set-Up Auths as Windows 10 Browser sign-ins, weird!)
Has anyone saw this and used the calculator how many years it was? 😂
*Thread Reply:* Customer of me set the value on 65535 days without thinking 🤔
Hi all, does any of you have further experience with Device Enrolment Manager in Intune? The MSFT doc says: > “Every device enrolled with DEM accounts needs to be properly licensed to be managed by Intune. The license could be an Intune user license or an Intune device license.” We use user-based licenses. Does that mean that the DEM account can enrol 15 devices and the 16. device will require a second user-license?
*Thread Reply:* I belive DEM account can enrol up to 1000 devices and you need 1000 Intune licenses if you are planing to enrol 1000 devices.
*Thread Reply:* A DEM account user must be assigned an Intune license as well.
*Thread Reply:* Does it mean 1000 devices = 1000 user licenses? (If this is the case, it makes more sense to use device licenses)
*Thread Reply:* Every device enrolled with DEM accounts needs to be properly licensed to be managed by Intune. The license could be an Intune user license or an Intune device license.
*Thread Reply:* Yes, but every user can enrol 15 devices (user-based license), so 1000 devices = 67 user licenses or 1000 devices = 1000 user licenses?
*Thread Reply:* Its user based dem is added for win10 , where u can pre-enroll and then change the user. Mobile devices need a device license after the 15 th device, or so i believe
I'm trying to get screenshots of Android Enterprise enrollments of Intune to create User/HelpDesk documentation. Won't allow me to under the initial setup. Any help here?
*Thread Reply:* As a side, I use AZ Screen Recorder app to take pics/videos (free app from Google Play). The missing link is the enrollment setup process.
*Thread Reply:* Did exactly what you need yesterday. Take another device, I used an iPad, to create a video of the whole process. Afterwards I can get the necessary screenshots from the video.
*Thread Reply:* I did that. Quality of the pics is not as good as a device screenshot.
*Thread Reply:* @Ray Domingue Set ADB-debugging on and use a Windows/Mac tool to create scheenshots via ADB, i did that before. Cant remember the name of the tool though.
*Thread Reply:* Yeah I use OpenSTF that does screen sharing through ADB. Another option might be to use something like Reflector.
However if you're doing device owner mode this won't help you because this all happens during the setup wizard where ADB is not available yet. You can only turn it on after setting the phone up.
*Thread Reply:* I use scrppy an adb tool which mirror your screen on Windows. Then take screenshot with Windows.
Does anyone know how to fix this? Error in english: Couldn't enroll your device. You can try again or send the error information to your IT admin in an email.
MDM authority: Intune + Office 365 License: Microsoft 365 E3
Error message: DETAILS Intune mobile device management (MDM) authority is not configured yet. RECOMMENDED STEPS Set the MDM authority under Device Enrollment in Intune in the Azure portal. If this is already configured, try again or contact support.
*Thread Reply:* so if you log into https://devicemanagement.microsoft.com/ > Click Tenant Administration > Is your MDM authority set to Microsoft Intune?
*Thread Reply:* @Ajay Patel yes it is MDM authority: Microsoft Intune
*Thread Reply:* Do you have MDM push certificate installed ?
*Thread Reply:* also delete all devices assigned to this user in Azure AD
How are you using Device Categories, in general? I feel like they could be helpful for some cases, but there are some where I don't want the user to have a choice, or I want to limit their choices. Is there any way to prevent a device user from having to select one at the end of enrollment? Is there a way to filter them so that certain users only see certain categories?
*Thread Reply:* I belive you can’t control what categories users can and can’t see. Its either all or nothing. You can have one that says “Not Applicable” or something like that for users that you don’t want to have any categories assigned.
*Thread Reply:* Thanks for the 'Not Applicable' suggestion. I'm generally conflicted on Categories--in same cases, it seems great for the user to be able to choose an option, but it also seems like a chance for people to tap a 'wrong' category easily.
*Thread Reply:* If solution requires end-user intervention in most of the time I would not consider this solution as an option. I would not feel comfortable with end-users choosing those categories. Categories are useful for situations where devices are being built by your IT. Then you can have dynamic groups or reports created based on those categories.
*Thread Reply:* We use them for the corporate / BYOD choice. Yes, uploading the IMEIs of corporate devices beforehand would be a much better option. But we have different local supply chains in every country so it's just not feasible.
*Thread Reply:* One thing that's annoying though is that they apply to all device types. On mobiles for us it makes sense to give the choice. On Windows it doesn't, it implies that we allow BYOD on Windows which we don't. I don't think it was possible to use it only for certain platforms, though I wasn't the one investigating this issue myself.
Hi folks has anyone used OEMConfig with Samsung devices? Have you experienced any issues ?
*Thread Reply:* I have, for a simple scenario; Pushing a custom APN, which worked well and didn’t require the KPE license. Surprisingly Intune actually implemented it well compare to other UEMs.
*Thread Reply:* When testing this, by default all options are DISABLED instead of the reverse of being enabled and you have to make sure you allow all the simple things like Wi-Fi etc otherwise you will soon find you will need to wipe that device to remove the restrictions 🤦♂️
I find it weird that root detection is not available for DO devices. I can see it in DA and WP compliance policies, but Rooted devices - Block option is mission from DO compliance policy. Am I missing something ?
Have anyone had any luck with consistency on Intune when it comes to Zebra OEMconfig? I sometimes get the config delivered, but it's not stable and changing values seems to require an uninstall of the app itself and sometimes also a reboot. It seems to work fine on Soti...
*Thread Reply:* The recommendation from a Zebra reseller was “use SOTI”… So far my customer still uses Android DA and Zebra StageNow.
We were facing similar issues.
*Thread Reply:* I would echo those sentiments from the reseller. SOTI has the best support for rugged Android devices from Zebra despite what Intune will claim.
*Thread Reply:* I agree that Soti has the best rugged support, but I'm surprised that Intune seems to fail delivering a standard Android Enterprise OEMconfig being on the AER-list and all.
*Thread Reply:* Its the edge browser or the managed browser
do you guys know where I can find Intune training materials ?
If you are a MS Partner: https://partner.microsoft.com/en-GB/training/training-manager?trackId=314&rowId=701
Folks help me out. I'm getting a "Register this device for full access to company resources" notification in the Company Portal that I can't get rid of. Can't find anything online. Looks like it has something to do with MFA. If you press it it takes you to Authenticator and then just sits trying to register. It fails without error and then I'm back to square one.
*Thread Reply:* Normally this happens because of Conditional access policies, Office app protection policies or a global setting (all devices need to be registered). have you changed something?
*Thread Reply:* While I was away changes been made to CA policy. Will be digging today to understand which one is affecting me.
*Thread Reply:* It wasn't CA policy. I hit the limit of registered devices.
*Thread Reply:* Had to delete all devices listed under Azure AD devices.
Do you have any restriction profile which doesn’t allow the Authenticator to add the work account you are trying to register on the device ?
*Thread Reply:* Dont think I do. Weird part is that it used to work couple of weeks ago. Maybe someone mage a change somewhere .
*Thread Reply:* Could be conditional access or mdm/mam setting in aad
*Thread Reply:* I believe the only option to restrict MS authenticator is to require device compliance flags to your CA policies that apply to iOS and Android devices.
*Thread Reply:* It wasn't CA policy. I hit the limit of registered devices.
*Thread Reply:* Had to delete all devices listed under Azure AD devices.
Hello everybody, does anybody know if you can enroll a Win10 device into AAD and from there to local AD. And what happen to the device account in the local AD if this device is used only outside the network and will connect primary to AAD? Will the device account still become out of date? And the user not able to connect to the local AD when they are in the office once in a time?
*Thread Reply:* Hi Torben. I would start with Azure AD connect. https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-azure-ad-connect
*Thread Reply:* The AAD Connect is already in place. We need to activate sync of computer accounts and write back. I saw that there is a second connector for Intune to AD. Any experience there?
*Thread Reply:* Okay, I guess there isn’t any good solution at the moment. The best I can find is this: https://nathanblasac.com/setup-the-intune-connector-for-active-directory-39acd2432086
Hi All! I can't find a setting in Intune to convert an app from unmanaged to managed and nothing on MS KB, any idea? 🙂
*Thread Reply:* Pretty much you'll need to deploy an 'Application Configuration' using either .XML or Configuration Designer mode with the 'Configuration Key + Values' of: IntuneMAMUPN, String, {{UserPrincipalName}} per applications (E.g. Deploy it with Outlook App, or deploy it with OneDrive etc)
*Thread Reply:* And if the app doesn’t support app config? Is this still the way to covert it from unmanaged to managed?
*Thread Reply:* It’s not supported yet, but on the roadmap for Q3/2020: https://www.microsoft.com/de-de/microsoft-365/roadmap?featureid=51715
Hi, has anyone migrated from Device Admin to Device Owner on Intune ? Any issues or blockers ?
*Thread Reply:* Hi, well, you have to wipe the device to migrate from DA to DO/COBO, but if it‘s really COBO w/o personal data, it should not be an issue.
*Thread Reply:* If you’re dealing with Zebra Android devices the support is pretty poor. No file management capabilities and MX XML support is gone in DO for Intune as it only supports OEMConfig for those configurations.
*Thread Reply:* @Matt Dermody File management is part of the OEMConfig. What are you missing? Are you still using DA for Zebra devices?
*Thread Reply:* File Management via OEMConfig is a workaround at best, you still have to host the files externally to pull them down. The fact that Intune can’t distribute files directly to the device is a big gap for dedicated device support
*Thread Reply:* I use DO for Zebra Android (unless its the WT6000 or TC8000), I just don’t use Intune because of the gaps. Intune is not viable for dedicated Zebra devices until it can support PackageInstaller for direct APK installs that bypass the need for Managed Play distribution and true file management (not via OEMConfig)
*Thread Reply:* Thanks. Do you know if device owner and device admin devices can coexist in Intune at the same time ? In WS1 I would have separate OG for DO and DA. How can this be implemented in Intune, considering that it uses flat grouping structure.
*Thread Reply:* Yes, they can coexist in Intune. We build a separate security group for DA devices and assign it to a device type restriction. AE WP is blocked there.
In Intune, is it possible to add ‘Department’ or any other column from AAD to the columns available in the All Devices report section in Intune?
*Thread Reply:* Nope you can just select the columns that are available under the columns button. No way to add more.
*Thread Reply:* We've made our own dashboards in PowerBI, that can be configured in great detail
*Thread Reply:* Yeah PowerBI is really a great option but i was thinking more of configuring it within the console…!
Hi, in Intune how do enterprises achieve 2fa during dep registration / onboarding? Is text message / call the only option? Our HO would like to push a user cert as the second factor but this won’t work for dep. thanks
Yeah that won't work. We use email. Text/call also doesn't work for DEP as the device is not actually usable yet at that stage. You're still in the Wizard after all.
*Thread Reply:* Many thanks @Tycho. How does the email method work as a 2fa? Thanks
*Thread Reply:* We get the user to use email from their laptop and enter the code they receive there :)
*Thread Reply:* And then we switch it to the 2FA app once it's deployed.. It's a bit clumsy but it works
*Thread Reply:* Of course users who are migrating from another device can just the the 2FA on that one so it's only for onboarding
*Thread Reply:* One thing I don't like is that it relies on users reading the documentation and following instructions... 😄 With our MFA we have no way to force it to go by email the first time.
*Thread Reply:* Much appreciated will definitely need to find and read the email option as we need a 2nd factor for onboarding via dep. Ta!
*Thread Reply:* Yes be aware though we use a third-party identity provider (PingID).
*Thread Reply:* Not all identity providers will have this option
does anyone know if you are adding some appconfig values to the Outlook app to block other accounts being added, does this apply to accessing Shared Mailboxes?
*Thread Reply:* Don’t believe so. Shared mailboxes require you to have an account signed in first that has access to it.
This might seem like a silly question, but testing Intune and trying to figure out how to quarantine or auto wipe all corporate data from a device if it is marked non-compliant. Does anyone know how to achieve this?
*Thread Reply:* @Jason Bayton any idea? Mainly targeted to iOS devices ATM and semi urgent need
*Thread Reply:* Good question, but not something I’m aware of. All my iOS devices get locked out of MS apps when they fail compliance due to conditional access, and data on disk with these apps is encrypted so shouldn’t be extractable. That’s as far as I’ve taken it
*Thread Reply:* What about 3rd party iOS apps, iOS Mail profile, WiFi profile, etc
*Thread Reply:* Also is conditional access block immediate after it falls out of compliance?
*Thread Reply:* Within an hour or so I believe. This is probably better answered by @Leon or someone who knows the product more in-depth. I don’t worry about 3rd party apps, mobile is mainly office
*Thread Reply:* It is not possible. You can only use conditional access to block access to office365 services or lock out MS apps.
*Thread Reply:* Conditional access is not only for o365 services, but for cloud apps as well. You can add 3rd party services to cloud apps and block access if the device is not compliant
*Thread Reply:* Yes but can you pull the apps the profiles?
*Thread Reply:* I wouldn’t want to block access if the device was jailbroken for example
*Thread Reply:* As @Mark Vonk mentioned, you can’t remove config profiles (Wi-Fi, VPN etc.) or managed apps when a device is marked as non-compliant. You can only block access to O365 / Azure cloud apps using CA policies.
*Thread Reply:* you can configure Wipe for some things in App Protection Policies, but only for apps which get them.
*Thread Reply:* Haven’t checked this out, but you could probably remove config profiles by script, if the device is jailbroken. But this is far away from a quarantine in MobileIron…
*Thread Reply:* thanks everyone, this was exactly the confirmation we needed!
*Thread Reply:* The retire action will be released as a action for compliancy. Currently it is in private preview
*Thread Reply:* The Retire action removes managed app data (where applicable), settings, and email profiles that were assigned by using Intune. The device is removed from Intune management. This happens the next time the device checks in and receives the remote Retire action. The device still shows up in Intune until the device checks in. If you want to remove stale devices immediately, use the Delete action instead.
Retire leaves the user's personal data on the device.
Off course. This is still under nda
*Thread Reply:* Lol so nuke the device off management entirely. Would be nice if there was a happy medium!
*Thread Reply:* Can Intune not just remove profiles and managed apps but leave the management profile there is a compliance policy is hit? Sounds crazy if not.
Intune/EPM Question on Apple iOS and AAD Dynamic Groups: How would you manage deployment of an iOS VPP App to an AD User Group to iPads only? The app should only be for iPads from a specific user group. (Not all iPads should have that app) [Note VPP 'Applicable Device Type' is greyed out]
*Thread Reply:* Is the app imported from vpp and are the licenses added and available ? It should work for dynamic groups.
*Thread Reply:* You can create a dynamic group for devices or for users, but you can’t create a rule that contains both users and devices.
*Thread Reply:* @Dimi, Trying to find some information to help convey the limitations. This article is the latest update on this: https://www.petervanderwoude.nl/post/exclude-specific-groups-of-users-or-devices-from-an-app-assignment/
So with work profiles no longer supported on fully managed devices in Android 11 I think that the answer to the question http://doesintunesupportaecope.info will be NO for ever 😁
https://blog.google/products/android-enterprise/work-profile-privacy/
*Thread Reply:* Hmm. I read this another way: COPE will be front and center in Android 11... How did you conclude that COPE is dead in Android 11?
*Thread Reply:* For me it's also not really clear. Some articles only say it gets updated not deleted. But if you read the Upgrading user privacy section, it seems that COPE is dead, which means, there is only BYOD and COBO enrollment with android 11. This would make it hard to distinguish real BYOD Users from personally enabled corp devices. Interesting would be also what this means for Zero Touch etc. When its only for COBO/COSU, its also dead for the the normal office usecase. Has anyone tested the Dev Preview?
*Thread Reply:* I read that COPE is dead on this sentence "Work profiles on fully managed devices will not be supported for either existing devices....."
*Thread Reply:* Ahh. OK. I've re-read the article. I now have the idea that WP and COPE will be "combined" somehow to be the new and enhanced WP "improved work profile experience" (WP2?) - this would mean that the 2 are more similar??
*Thread Reply:* the more often you read it, more possibilities pop up^^ Thats why I asked for an Tester
*Thread Reply:* Huh... That's bad, I really like the work profile experience for work/private separation. And as we are very strong on enabling personal use even on corporate devices this will make it more difficult for us. We currently use BYOD mode on personal devices because http://doesintunesupportaecope.info/ but we were planning to move to COPE eventually.
*Thread Reply:* Also: "On the other hand, IT will not have visibility into which of the permitted applications employees choose to install and use." <- This is already the case with BYOD, we can't see the personal side. I wonder if @Jason Bayton has some insights into this topic.
*Thread Reply:* COPE isn't dead, but it will be seemingly heavily restricted. The UX for users will remain the same (provision as normal, create a work profile) but on the EMM side the additional restrictions granted will be limited compared to WP on fully managed.
I've got a draft article I'll clean up a little and share in a bit before it goes live.
*Thread Reply:* 11 will not support the provision of a work profile on a fully managed device, it'll throw an exception and fail. EMMs have to block provision on 11 or face partially failed enrolment I guess.
*Thread Reply:* So COPE and WP will be more similar (restricted) ?
*Thread Reply:* Some more technical insides: https://developer.android.com/preview/work
*Thread Reply:* COPE is the use case rather than the underlying deployment scenarios. Rather than having two DPCs and full visibility/control of a fully managed device with a work profile, 11 will allow you to unlock additional device management with an "enhanced work profile"
*Thread Reply:* So it on paper is a work profile deployment without Google restricting the device side configurations**, which is not a million miles from WPoFMD today
**Except they will restrict a fair amount
*Thread Reply:* looking forward to the article because i'm still a long way from understanding the impact on COPE customers!!
*Thread Reply:* Especially in a KME COPE model with KNOX Workspace, although i'm waiting an answer from Samsung
*Thread Reply:* Yeah I’ve not made any progress in understanding what Samsung will do as yet, though it remains that the Knox APIs are reasonably independent of the deployment scenarios in AE. Via KC a device can be heavily restricted and controlled even on a work profile only deployment as I understand it.
*Thread Reply:* https://bayton.org/draft/cope.html
*Thread Reply:* In the Intune world almost nothing changes. We get enhanced Work Profile and @Jason Bayton can save on hosting for http://doesintunesupportaecope.info/ as it is never going to happen now.
*Thread Reply:* ^^ 😂 I’ll keep it up forever for posterity
*Thread Reply:* @Jason Bayton why do I get the feeling after reading all this that Google saw Apples User Enrollment change and decided they needed to have a "Me Too" moment and change things just cause 😄
*Thread Reply:* New in Android 12, you can only duplicate a selection of approved apps in a work profile, all other apps will be deployed to the personal profile yaaay
*Thread Reply:* I do feel it is time for Google to cut down on the acronyms, models, naming convention changes. Please Google, share some complete and unambiguous documentation on this. This, for example the blog mentioned by Almar, only adds to the confusion.
*Thread Reply:* So your saying you want Google to stop Googling it up 😁
*Thread Reply:* Excellent article @Jason Bayton! It explains it really clearly and I totally agree with your criticism. I also think their renewed focus on privacy is a bit... odd. I can't escape the feeling that they try to reflect scrutiny of their own privacy model so they can be seen to have a "win" on this front without having to change their businessmodel. Similar to their upcoming tracking protection in Chrome. "You can block cookies as long as you don't block ours"
*Thread Reply:* Thank you kindly. Just running a bit more fact checking before it goes live so I don't get called out. Par for the course 😁
*Thread Reply:* Live: https://bayton.org/2020/02/android-enterprise-in-11-google-reduces-visibility-and-control-with-cope-to-bolster-privacy/
*Thread Reply:* I gotta say I'm really curious to see how this all pans out maybe I'm just not in the know enough or missing something but it almost feels like this change is pushing companies to use BYOD more for things that COPE did before and to only use the other scenarios for a traditional dedicated corporate device.
*Thread Reply:* We kinda did just that already because of Intune (COPE not supported), and I have to say we're not all that bothered with it.
However we did go through some issues around security. Allowing devices on the network where we couldn't inspect the personal apps installed was not allowed so we have instead worked to make the mobile wifi network external-only. This worked better with our per-app-VPN too: Internal apps are now accessed through VPN even on site. Because making an exception for the company wifi was really difficult.
So for us it was a combo of many things coming together that made this actually work. If those hadn't we'd have been in a bigger pinch though. Problem is, we really like to stimulate work/life balance and personal use of company mobiles. If we'd have to go for a COBO model it would have been a big step back in this regard.
*Thread Reply:* That's a lot of infrastructure work to support something that should be simple (COPE today) if it was actually properly supported.
*Thread Reply:* Some customers will go basically go BYOD / COPE in Android 11. I know of some. that will be forced to go to COBO because of this unfortunately. In that case, the user is the victim: no more personal use. So I am not sure in the end this will do any good. The customer who remain COPE, did not use the specific features anyway. The users of the customers that will go to COBO will impact the UX of their users in a major way. For me COPE had just the correct mix of features between BYOD and dedicated fully managed.
*Thread Reply:* I though the COPE model made a ton of sense however we are a BYOD shop so I never had a need to really try it out. I just feel bad for those that have deployed it and now have to move away seems like a crappy thing to do on Google's part. Google and Apple are both trying to perfect their Enterprise model at the expense of the customers it seems at this point. Hopefully they both get it figured out soon so we are not in a perpetual state of change as if we all don't have enough to keep up on already 😄
*Thread Reply:* Well poo...Throw away the 3 month investment I made for the migration effort from DA to COPE
*Thread Reply:* Bill thats once place where I got lucky and read between the lines at the right time. When we started our WS1 initiative a few years back I could see that DA was coming to an end and that Goolge was gonna push everyone over to AE so after testing DA for a bit I convinced management we should just make the jump now rather than getting stuck making it later. Since we were still in the pilot phase we didn't have that many people that had to unenroll and re-enroll which was nice. About 6 months after that all the announcements came out about DA getting killed off. BYOD users hate change so I'm glad I dodge a bullet on that one for sure lol
*Thread Reply:* Whatever option our customers choose when having to move away from wpofmd, COBO or WP, there are some problems to tackle. COBO will lead to disappointed users that will start using 2 devices again. WP on company owned devices however leads to several several issues. For instance not being able to remove the passcode from a device should a user forget the passcode. Also no option to wipe the device from MDM when the users forgot the passcode.
Also e-fota will not work on WP device....
*Thread Reply:* Good points Almar. You sure about e-fota? I am still awaiting to see what will and will not work from a KNOX, including e-fota perspective.
*Thread Reply:* Yep, have a large customer currently on WP, no e-fota. Confirmed by Samsung.
*Thread Reply:* Samsung can control it as they see fit. For enhanced WP they'll likely handle it like cope today
*Thread Reply:* Well not really, when using KNOX on top of AE there are some restraints as the DPC will need to execute it, and the DPC needs to be on the private side, not the work profile. Maybe with the KNOX service plugin you can do some more, but you will still need to get that app on the private side of the device.
*Thread Reply:* Samsung make changes down to kernel level, they can have it work however they choose ultimately.
*Thread Reply:* @Almar Diehl Yep the pincode reset is a big annoyance. Users expect us to be able to do this on their company phone. It's hard to sell not being able to sometimes.
*Thread Reply:* Ironically this change will drive more of a vendor lockin to the likes of Samsung which I though Googles strategy for AE was to make it more generic
Be sure to look out for the new Office App. It would be a huge DLP issue if not protected by Intune App Protection Policy
*Thread Reply:* The new Office app that was made publicly available in the app store last week (2/19) was not listed in the Intune App Protection Policy intially. This allowed users to download the app and transfer docs, copy, paste, etc... outside of what those DLP policies might be set.
*Thread Reply:* Any idea which ‘Office’ app are we discussing here exactly?
*Thread Reply:* @Prip https://apps.apple.com/nl/app/apple-store/id541164041?mt=6
*Thread Reply:* @DashonB Microsoft stated that on 20/2 App Protection Policies will be added: https://techcommunity.microsoft.com/t5/intune-customer-success/support-tip-how-to-enable-intune-app-protection-policies-with/ba-p/1045493
*Thread Reply:* Thanks for the heads up @DashonB!
*Thread Reply:* We mitigated using the custom bundle id
@Anders Hermansson has joined the channel
Has anyone had the issue that when opening Outlook on an Android Enterprise Work Profile device (Outlook Account was already added before) that the Company Portal pops up and users need to authenticate similar to the initial enrollment!
*Thread Reply:* Sounds like the authentication for managed apps (MAM). Was Outlook Mobile set up before the device was enrolled? Is any App protection policy in place? If yes, for managed app and/or managed device?
*Thread Reply:* Thanks, gotta check that
Hi all, I'm looking at certification for mobility with Windows 10 as a bonus. Would MS101T00 be the right pick?
https://docs.microsoft.com/en-us/learn/certifications/courses/ms-101t00
*Thread Reply:* MS-101T00 is just the course. The course is part of the exam MS-101. For the cert you need MS-100 as well. As far as I understand, you need the MS-500 (Security Administrator) or another required certificate before you can take exam MS-101. You can find them in the overview of the cert below: https://docs.microsoft.com/en-us/learn/certifications/m365-enterprise-administrator
*Thread Reply:* you dont have to have ms-500 if you wan to take ms-101
*Thread Reply:* Not for the exam (ms-101), but for the certificate (Enterprise Administrator Expert) you need one of the prerequisites.
*Thread Reply:* https://openedx.microsoft.com/dashboard free training for anyone interesting in taking the MS-100 ms-101 exams
*Thread Reply:* Thanks guys, had a closer read last night it it makes much more sense now
@Bo Snitkjær Nielsen has joined the channel
Hi Guys. Any ideas why this could happen? No restriction profiles, no compliance profiles, no sets, no autopilot, nothing is assigned. Windows 10 pro 1903 image. Just trying to join Azure AD during OOBE. Tested same image in other tennant, no issues. Deployed straight away.
*Thread Reply:* Selecting Try again works, but then you get to the next stage.
*Thread Reply:* MDM User Scope set to ALL, MAM set to NONE
*Thread Reply:* Getting License Install failed for license type 1. Going to try an eval version of windows 10.
*Thread Reply:* What is weird that this same image enrols ok in the other tenant.
*Thread Reply:* It was something to do with the Win10 license. I was enrolling a VM and it was failing to activate the copy. Obtained new key and it worked like magic
@Jordan Philip has joined the channel
Hey guys. I'll preface this by saying I am coming from an airwatch background
can I view the intune portal as a specific role? Like if I have intune admin and helpdesk, can i switch to a helpdesk view?
*Thread Reply:* Not as far as I know. You will need an 2nd account to switch roles.
*Thread Reply:* you can limit user access just to intune with RBAC roles
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/fundamentals/role-based-access-control
*Thread Reply:* I'm trying to build a portal for my helpdesk. I'm already looking at devicemanagement.microsoft.com for their starting point and I'm looking to hide any devices/profiles/groups not directly related to iOS and Android. Scoping tags is looking like the way to go and I was hoping there was a simple way to switch myself from Intune Admin to Helpdesk to test out different permissions.
*Thread Reply:* No there is no way of switching of roles as in airwatch
*Thread Reply:* so I've set up another account, made a group called service desk and direct assigned this user to it
*Thread Reply:* in the helpdesk role I've assigned it to this group
*Thread Reply:* I've got an incognito window running logged into device manager as this new user, but have access to nothing
*Thread Reply:* what did I miss? 🙂 (broad question I know)
*Thread Reply:* oh, I also have 2 scope tags, one for iOS and one for android
*Thread Reply:* U create the scope tag , assign this scope to a security group in azure ad , assign it to the profiles. Go to intune roles assign a role to the role security group and limit the scope with your tag
@Willem Verstegen has joined the channel
Hi, just planning some security for Intune.
Is it possible to enforce the domain credentials for the lock screen of a mobile device? Just like a typical Windows workstation.
*Thread Reply:* With Shared iPads this is exactly what happens. Available in iPadOS 13.4 for Apple Business Manager or older iOS with Apple School Manager. Requires federation with Azure. But why? Think of the pin code on mobiles as the pin of Windows Hello on win10. More secure since if someone sees you type the code they need both device and code to break in. If you use password and you expose your password (because you would need to type in public) then attackers can login remotely with just the password
Does anyone have a handy document that shows the different intune protected apps and what version of the intune SDK they use? I've been trying to find something from Microsoft and I've come up empty.
*Thread Reply:* Something like this? https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk
https://docs.microsoft.com/en-us/mem/intune/developer/app-sdk-ios
*Thread Reply:* What I need is the list of Microsoft apps and which version they are currently using, I'm not trying to build my own.
Hey guys, does anyone know how to handle the MAM in Intune? We want to know what is the process of adding an app and sending to a new customer. We added a new App and created a group of users, but it’s seems that the users don’t see the apps.
*Thread Reply:* Beware that MAM in that context usually is about app protection policies and not deployment of apps. Did you select the new app to be required or on-demand ? iOS? Android? Internal App? Public App? VPP App? Device-based or user-based licensing? Is the group a device group or user group?
*Thread Reply:* Internal iOS App, and is set as on demand
*Thread Reply:* is set as a group of users
*Thread Reply:* and the app is not inside company portal app?
*Thread Reply:* well, if I login in the browser I can’t see the app
*Thread Reply:* Are these users licensed with an Intune license?
I've had a question about controlling where users can save in the iOS\iPadOS versions of the Office Suite. At present, the users can save to OneDrive but ideally, we'd like to restrict that to just SharePoint. I wasn't sure if there is an AppConfig option or similar for this or if it's controlled via some other method such as in the Office Portal.
You’ll need to apply App Protection Policies to your Office 365 mobile apps. These polcies allow you to control where users can save files (OneDrive, SharePoint or Local Storage)
https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-settings-ios#data-protection
*Thread Reply:* Thanks Phil. I thought that might be the case, I'm not super familiar with the options in there. It looks like I have some reading to do!
*Thread Reply:* I need to test it but I think that's given me the answer! Save copies of Org data (thanks again Microsoft for naming stuff in such an obvious way 🙄 ) seems to let me specify what I need.
*Thread Reply:* No worries, it should give you the DLP controls you’re looking for.
Users will need to be assigned Intune licenses as well.
@TGR and I have tested pushing private LOB .apks with AE DO InTune enrolled devices. We have however not been successful deploying anything and InTune provides no logs or feedback on what goes wrong. We are wondering if there are requirements we are missing. Is this perhaps only for Device Admin enrolled devices, or does MS have a requirement for company portal present on the device(which would seem odd for a shared device LOB scenario). Feedback is much appreciated 🙂 https://docs.microsoft.com/en-us/mem/intune/apps/lob-apps-android
*Thread Reply:* Hi Ole, Look at the second note from the op in the link...
*Thread Reply:* you need to upload the app to (private) play store and then distribute from there
*Thread Reply:* We are aware that the prefered way is to use Managed Google Play private hosting, but if you have quite a few variants of that particular app, pushing the apk is a lot simpler
*Thread Reply:* It’s not clear from MS documentation that just uploading an apk file is just for DA, it just says that for Android for Work GMS private hosting is relevant…
*Thread Reply:* and in other EMM systems it’s possible to install apps directly, either by prompting the user to accept and allow third party installs or as in SOTI where you can install and apk file directly without asking the user.
*Thread Reply:* So I guess the question is: Is it in any way possible to do this in Intune (LOB apps was our stray of hope to cling onto…)
*Thread Reply:* Last I checked Intune does not support direct distribution of LOB apps under AEDO and they have to plans to support that capability
*Thread Reply:* Intune for AEDO is basically just the base Google features with little to no extra value adds. They don’t even have a custom DPC. They don’t support file management. It’s the bare minimum to claim “AEDO” and thats it.
*Thread Reply:* SOTI is absolutely superior for the DO use case. I don’t even consider Intune to be a viable option.
*Thread Reply:* I’ve mainly used SOTI for dedicated Android implementations so far, but customers are starting to ask for Intune in this space, so we’ll have to do a bit of magic… Actually Intune has started pushing out their Intune app together with the Google Cloud DPC - so far you can’t do much with it apart from set the log levels and press sync, but I’d expect this app to be the app to service calls that are not 100% AE specific such as file sync, apk install and so forth…
*Thread Reply:* We have customers asking about it all the time too since it is “free” with o365. It doesn’t help that the nuanced differences in management capabilities between AEDO and DA make it an even more complicated discussions with CIOs that google “Intune+Android” and find a bunch of results. We have to do a ton of education to convince someone that having a “Single pane of glass” isn’t necessarily better than having “the right tool for the job”.
*Thread Reply:* @Matt Dermody Wholeheartedly agree, but the argument 'its free' (AKA we already paid for it) tends to be a decision already made 🙂 And sorry for not replying sooner, Corona-times keeps me busy between work and homeschooling.
Does anybody know how to stop user using the option to 'Add a Place' in mobile apps like Word and Excel. I have configured an App Protection Policy which shows only SharePoint when trying to save but users are still able to use the option to 'Add a Place' and then select OneDrive.
*Thread Reply:* It doesn't look like you can do this. I resolved the issue by simply deleting OneDrive from the portal and then removing the personal sites for the users with remvove-sposite
Is it possible to set a corporate background in Intune for an Android device without using the Microsoft Managed Home Screen? The AfW Enterprise enrolment is enough, I just want to brand the device in a minimal way.
I have two Apple DEP enrollment tokens visible in Intune - one is valid and the other one is expired. There are no devices bound to the expired token, but I can‘t delete it. How can I remove this expired token?
*Thread Reply:* Could it be related to this? https://techcommunity.microsoft.com/t5/intune-customer-success/deleting-dep-enrollment-for-ios-ipados-macos-for-default/ba-p/1191418
*Thread Reply:* Right on the money! Thanks
*Thread Reply:* I ran into this. Had to open a MS case for them to delete it.
Does anybody have any ideas on how to block mobile users from adding additional cloud storage like Box and Dropbox to Word and Excel?
*Thread Reply:* @Paul Conaty Do you mean creating an App Protection Policy? Because I've done that and it doesn't stop that feature from working, unless there is a setting I've missed. Do you have any specific tips?
*Thread Reply:* I think it's Managed location needed for Office IIRC
*Thread Reply:* Save copies of org data -> Block
*Thread Reply:* and then set allow user to save copies to selected services
*Thread Reply:* caution: android works other than ios, regadless of the settings are the same
*Thread Reply:* Hmmm my customer is saying this is not working. I will have to see if I can get an iOS device to test this with my own tenant.
*Thread Reply:* also make sure it is assigned 🙂 Very easy to forget to assign to correct user group
*Thread Reply:* and caution for 3rd party intune sdk apps, they ignore the setting.
*Thread Reply:* Yeah, this isn't working. I cannot believe that Microsoft have made a system that makes it easy for users to just walk off with corporate data by simply adding a non-corporate location to Word. Such as busted design.
*Thread Reply:* Maybe I miss-understood the how this is supposed to work. For me I can still 'Add a Place' however you are correct I cannot save a document into Dropbox that was first created in a corporate app. So functionally it is working as I would like, I think the perception was that I could prevent the adding of these services at all rather than blocking access to them after they had been added.
*Thread Reply:* I guess the client's real concern is that I could add a docx file to Dropbox, open it on my phone and start typing in company data but I guess they could do that with any app. Data can't be copied between files so the next step is to create a DLP policy. Thanks guys for helping me work through this, understanding the limits of how something is supposed to work is half the battle!
*Thread Reply:* thats correct (for iOS)! On Android Enterprise its different.
*Thread Reply:* @Wolfgang Bauer How so? I tested this on a AE Fully Managed device and it worked that way too.
*Thread Reply:* on android there is a managed app config that blocks all other accounts and block store files on device works other than you might expect.
Hi guys new here I'm trying to set ABM with Intune and I'm following the docs correctly when I turn on the device I'm getting invalid profile..
Hey guys.. is anyone managing Android rugged devices via MS Intune? How are you managing the grouping if your environment is based on geographic divisions? How is the experience?
*Thread Reply:* No. I would not recommend Intune for any Dedicated Device (rugged) use cases.
*Thread Reply:* Thank you for that Matt but my clients are pushing us to try it in Intune 🤦… and are asking practical data points recommended by vendors, points noted officially that it is not recommended with Intune…
*Thread Reply:* I'm with @Matt Dermody on this one, the should use something like Workspace ONE that has a background in rugged device management.
*Thread Reply:* WS1 or SOTI, Intune is so bad
*Thread Reply:* No LoB apk installs, only through MGPA
*Thread Reply:* which means no version control
*Thread Reply:* no roll backs, barely any ability to control app updates
*Thread Reply:* No file management capabilities which are required for a lot of configuration of Zebra and Honeywell devices
*Thread Reply:* OEM configuration through OEMConfig only, no support for MX in Zebra devices
*Thread Reply:* OEMConfig still has a long way to go, you’re also reliant on the Play Store for distributing the changes
*Thread Reply:* It may be fine for the BYOD use cases but it is not recommended for mission critical rugged devices
*Thread Reply:* Its basically just a front end for base AE management. They don’t seem to have any value adds on top of that. They don’t even have a custom DPC. They are doing the bare minimum
*Thread Reply:* Great guys… thank you very much for the details… I am currently testing the same solution… will need to find more data points… do we have any blogs explaining the same?
*Thread Reply:* I’m about ready to write one myself because I hate having this conversation constantly
*Thread Reply:* That would really help me and others who might have such plans… will keep you posted… @Jason Bayton any thoughts?
*Thread Reply:* I don’t want to put words in his mouth but Jason is typically of the mindset that mobile app developers and OEMs should be changing their strategy to align with Google’s vision for Android Enterprise rather than the other way around so I would be willing to bet he is supportive of Intune’s strategy since it is directly in line with Google. With that said, I would also be willing to bet he would agree that WS1 or SOTI are the way to go for dedicated devices.
*Thread Reply:* Yes and yes to Matt. I’m critical of Android Management API though, as it lacks so much compared to what customDPC can do. Even so, Intune could be adding far more custom functionality but they haven’t, including private app deployment and such as that’d be more than possible alongside AMAPI
Does anybody have experience with using Endpoint Manager to block the install of specific Win32 apps?
*Thread Reply:* From what I can see Microsoft want us to use Defender App Control to whitelist but that looks like some serious work and not great for responding to an immediate threat. In the long term I think this is the way to go but I need to block an app now, not in a week's time when I've had an opportunity to implement a propper test of WDAC. 😬
If anybody has some thoughts I'm all ears.
Hello everyone . Does anyone have any document that lists everything that can be managed on win 7 and 8 computers using Intune?
*Thread Reply:* Hi, look into this article, the OS type is listed below every setting:
https://docs.microsoft.com/en-us/mem/intune/configuration/device-profiles
*Thread Reply:* As far as I know Windows 7 is not supported
https://docs.microsoft.com/en-us/mem/intune/fundamentals/supported-devices-browsers
*Thread Reply:* Hi Nico Thanks for your answer but I think it's still possible to manage using PC client https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-legacy-pc-client
*Thread Reply:* I think I just found... https://docs.microsoft.com/en-us/mem/intune/fundamentals/intune-legacy-pc-client
*Thread Reply:* this one https://docs.microsoft.com/en-us/mem/intune/fundamentals/pc-management-comparison
*Thread Reply:* I see. You have to use Intune Classic Portal for them.
*Thread Reply:* exactly and it seems comanagement with SCCM would not be possible
Folks I've banned the use of Zoom for the biz, and on checking intune noticed I don't really see apps on windows 10 being synced outside of those from Microsoft. Is there a setting I've missed that opens this up? They're all corp owned and set as such.
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/apps/app-discovered-apps
*Thread Reply:* That doc explains what you should and should not be able to see with regard to app inventory.
*Thread Reply:* Blocking apps in Intune seems impossible, can Zoom be blocked at all using Intune?
*Thread Reply:* You can push an Applocker profile via Intune to W10 clients which would block Zoom install but not web only join I don't think. That would require a browser blacklist or similar
*Thread Reply:* Like just visibility is enough for me at the moment. It's a small company and I can handle folks as required without necessarily blocking it.
*Thread Reply:* @Paul Conaty I looked at Applocker but unless I was doing it wrong it didn't seem to stop the Zoom.exe app from running on my test laptop. You're right about the web only join but I think that's less of an issue as it's the potential for data harvesting that has our CIO concerned about it. We have quite a few partners who use it too and we're trying to get them to use Teams but it's not easy.
*Thread Reply:* What's the point of discovered apps if it only shows me MS apps
*Thread Reply:* Good question. Like a lot of functions in Endpoint Manager it seems superficially useful but ultimately not very good,
I'm trying to stage Android devices in Intune so that they are enrolled prior to shipping and I thought that a DEM account would be what is needed but it's not working as I would hope. What I want is for the device to be enrolled and have applications deployed but to be able to switch to the end user once they receive it. Is this possible in Intune?
*Thread Reply:* no this is not possible exactly the way you want it. Your best bet is to use Zero Touch or KME (if Samsung devices) then all the users theoretically needs to do is just Connect to Wifi, it will download the company portal, user signs in
*Thread Reply:* I guess you need to enroll the devices as Corporate-owned, fully managed user devices either by DPC, QR or NFC enrollment (or Zero Touch if this is an option). I’m not sure if the device will turn up in Intune before the user signs into Company Portal - I would assume so - if it does, you might be able to create dynamic groups to hit the devices in question with apps and policies.
*Thread Reply:* @Ajay Patel Thanks, that's what I thought, I'm going to have to get all the devices added to DEP and KME. I spent a long time working a VMware deploying Workspace ONE and I never really understood just how much better than Intune it was until I have to use Intune as my only option. It's just not really designed with real use cases in mind.
*Thread Reply:* I guess MS’s focus is more user-based with BYOD in mind. It’s actually getting better in a fairly fast pace I think, but there is still a lot to wish for compared to some of the competition..
Can anybody help me understand why, if all my W10 laptops are registered with Autopilot, a handful of them are trying to enrol using Azure AD Join rather than the approved Autopilot configuration of Hybrid AD Join? I'm not sure where to look for why these machines are using the wrong enrolment method.
*Thread Reply:* Dont have much exp in Hybrid but I would look at the autopilot profile, because it is a profile that defines the type of join and it is one of the first things that get delivered to a device.
*Thread Reply:* https://www.anoopcnair.com/windows-autopilot-hybrid-domain-join-guide/ I’ve bookmarked this blog this some time ago maybe it can help you. But you probably seen it anyway.
*Thread Reply:* also check resources at the bottom of his blog
*Thread Reply:* Yes and No. Windows, iOS, or Android?
*Thread Reply:* Hey @Dimi, we (GroundControl) have lots of customers using shared iOS devices in healthcare, and other customers using Intune… not sure if we have healthcare on Intune yet. But I’m happy to share what I know.
*Thread Reply:* groundctl.com — management of shared iOS devices, especially clinical communication and patient iPads.
*Thread Reply:* I should say, software to manage the devices. And earlier this year we were acquired by Imprivata.
*Thread Reply:* @Dimi out of curiosity are you trying to gather information, just looking for best practices, or a deeper dive of looking for implementation help?
General question regarding SSO for Intune managed devices - what are the supported authentication methods to implement SSO for internal On-Premise systems? Any experiences out there?
*Thread Reply:* SSO for which platform? W10, iOS, Android?
*Thread Reply:* Sorry.. iOS ans Android Enterprise
*Thread Reply:* Examples would be: SSO for Sharepoint, Fileserver, CRM System, Intranet - all On-Premise
*Thread Reply:* If I am correct there is a way to do this with Exchange On-Premise via Cert Based Auth or Kerberos Constrained Delegation.. not sure though
*Thread Reply:* Yes, SAML would also work.. but we have not every System on SAML yet
*Thread Reply:* Fair enough. SAML is the simplest way but I'm pretty sure iOS support kerberos, on iOS 13+
*Thread Reply:* Yeah, check this. https://docs.microsoft.com/en-us/azure/active-directory/develop/single-sign-on-macos-ios
*Thread Reply:* Android I'm not sure about though. I remember in Workspace ONE we had some pretty janky workarounds using a cert proxy to get SSO to work so I'm guessing outside of SAML you're going to run into similar problems with Intune.
*Thread Reply:* Great thanks. I missed this documentation. :facepalm::skintone_2: Are you using any of this with Intune?
*Thread Reply:* For iOS you can also do Kerberos directly to your windows servers.. Android needs Hypergate (app) to do the same…
*Thread Reply:* You probably missed it because it's brand new 🙂 Only popped up 2 weeks ago (though it was announced at last year's Ignite there was no reference to it anywhere)
*Thread Reply:* Not with Kerberos as we block all our mobile devices from accessing AD but with Azure AD
*Thread Reply:* Right.. I have been looking for a documentation around Kerberos. Do you guys mean this under the section SSO?
https://docs.microsoft.com/en-us/mem/intune/configuration/device-features-configure
Oh wow we had something similar with PingID recently too. Thanks for the head up!
Hi guys,
Is it possible to install applications under administrative rights and not in system context mode? I have a tricky bit of software that requires local admin rights to install but my users are standard users and system context Installs aren't supported, the software essentially needs to install how MDT natively Installs software, can this be replicated within intune?
Thanks
@Wannes De Boodt has joined the channel
Does anyone know what controls when this warning for Intune App Protection policies hits apps on devices? We have always seen it during initial app launch when the policy is applied but some users are getting it random (some multiple times a month)
*Thread Reply:* I'm getting the same thing on my iOS device. I've asked MS Support the same question ... but no solution from them on this. If you have an answer on this, I'd love to know this!
*Thread Reply:* Isn't it the normal behavior when the App Protection Policy kicks in?
*Thread Reply:* yes it's normal behavior but when it initially hits. the question is under what conditions is the user re-prompted with the same later along with force crashes of the app
*Thread Reply:* @Kiran Patel have you heard anything more on this? I'm curious to know what you've found out. MS Support was no help really. They want me to create a new APP and assign myself just to that policy to see if that fixes it. (I have no idea why?)
*Thread Reply:* unfortunately not yet but will def keep this updated
Is it app updates, policy refresh intervals, etc?
anyone here leverage Box for EMM with Intune App Protection Policies? If so curious on if you also figured out how to get iOS Files app integration working to make it easier to open and safe files from the MS office apps
*Thread Reply:* @Kiran Patel stupid question ... are you using O365? If so, why not leverage OneDrive instead of Box?
*Thread Reply:* yes we are but not fully deployed. Experience wise Box had some features we preferred so was already globally deployed a while back
we are shifting from iOS Mail and device managed open in restrictions which protected us for our requirements to Outlook for iOS and the "Protect Org Data" policy is limiting our options for using Box with Outlook attachments
*Thread Reply:* When you say "limiting" how do you mean?
@Tobias Kiesenbauer has joined the channel
Hey has anyone had much success with ZTE or KME and using JSON to force a user to set a device passcode during the initial setup? Finding that Intune is quite slow with pushing out the profile/compliance, and doesnt actually prompt the user to set the passcode once it all (finally) comes down.
Any input or ideas would be super helpful! Thanks all
Does anybody have experience with troubleshooting Autopilot errors? I have devices that are AzureAD joined but will not register in Endpoint Manager\Intune because the machine keeps trying to do an AAD join rather than a Hybrid AD Join which is the only method allowed by the assigned Autopilot profile.
I can see the device is sync'd in Autopilot and has an associated Azure AD device listed but it keeps trying an AAD join, which I believe happens each time the user has to authenticate against Azure AD. This means I'm getting 100's of errors from just 3 machines.
Does anybody know how to deal with this is scenario?
*Thread Reply:* Is the local AD available for the device?
*Thread Reply:* It is. The strange thing is that when I look at the device it says it is joined to the AAD and the domain which is normally the sign of a Hybrid Domain Joined device.
*Thread Reply:* The proces is first an AAD join and then a domain join. So that might be the issue
Anyone know how to obtain / the app ID for Company Portal? I’ve used fiddler to no joy I believe it starts x-ms or similar. Thanks
*Thread Reply:* Android : com.microsoft.windowsintune.companyportal
*Thread Reply:* Windows : check "C:\Program Files\WindowsApps\Microsoft.CompanyPortal10.4.8061.0x64__8wekyb3d8bbwe\AppxManifest.xml"
*Thread Reply:* For iOS bundle IDs I use this site: https://offcornerdev.com/bundleid.html
*Thread Reply:* I was led to believe it starts x-ms but I think it’s as above.
Hi All, I am trying to deploy a EAP-TLS Wifi config using a scep certificate to Android Work Profile with the help of Intune. Unfortunately, the error message I receive is very generic and I can't get more info on it. 0x87D1FDE8: Remediation failed is the error message and the Wifi profile keeps on failing. Any suggestion welcome 🙂
*Thread Reply:* If the certificate is missing, an EAP-TLS profile would fail to install i presume
*Thread Reply:* Yes, the only profile that is failing is the Wifi profile, all the rest is marked as successful
*Thread Reply:* I guess Intune sees the certificate as being installed at least. Have you trie creating the profile manually with the installed certificate?
*Thread Reply:* When I’ve banged my head against the wall for too long, I always try to see if things can be achieved manually to make sure that I haven’t missed something in the process…
*Thread Reply:* but that said, I’ve encountered a few scenarios where EAP-TLS + cert profiles fails for diferent reasons.
*Thread Reply:* If you had written that it was a device owner / dedicated setup, I would have suggested to both check in from the Google DPC AND the Intune app on the device, but I assume you’re using Company portal?
*Thread Reply:* That's correct, I am using Company Portal, and I did not do the testing using a DO yet. It's for a customer and I don't have access to all the root certs. Curiously enough, when you upload them to Intune, you need to select the option DO/Work Profile and they're only available to the selected mode.
*Thread Reply:* yup - That disables the option of having one profile for both types of enrollment, so you might have to create two if you use both enrollment types
*Thread Reply:* Finally found it. Somewhere, deeply digged inside the log files... "Excluding cert with alias Userxxx and requestId yyyy as it does not have the UPN SAN." Adding the UPN to the SCEP SAN fixed the issue.
*Thread Reply:* Of course - no problem, just glad I could help :)
*Thread Reply:* Which log files did you find it in by the way?
*Thread Reply:* I don’t have great experiences with the intune logs…
*Thread Reply:* @JF Rigot In which logs did you see the message you mention?
*Thread Reply:* @TGR Sorry for the delay... OMADM.logs as mentioned here https://docs.microsoft.com/en-us/mem/intune/protect/troubleshoot-scep-certificate-profiles#logs-for-android-devices
*Thread Reply:* Ah ok - the device logs from CP - thanks for that 🙂 I see a few customers with issues relating to SCEP and Android Enterprise, but there are a few different issues relating to different stuff.
Hi All, anyone experienced with iOS custom apps assigned to Org's in ABM and the ability to administratively block/enforce auto-updates of new published versions in the app store. #soti and #mobileiron and #workspace_one are able to support such a feature, but I cant find any similar features in InTune?
If I have a native iOS/Android application, with MSAL built in, can I use the AAD App Proxy to tunnel the app like MobileIron AppConnect or VMware SDK? Or is it just the "webview" traffic from that app? Does anyone have a good explanation?
Hey folks , is there a way to find out why device was not complaint in past, now that it is showing as compliant ?
*Thread Reply:* can this be done somewhere in the console ?
With Intune on Android/IOS, is there a good resource on Per App VPN setup and usage?
I'm currently using VMWare Workspace One, and the one key feature that is currently missing is the VMWare Tunnel/Per App VPN. VMWare provides an on-premise virtual appliance to provide per-app VPN, but I don't see a similar offering for Intune. Thanks!
*Thread Reply:* The Intune/MEM/Microsoft feature that is most comparable is the Azure App Proxy
*Thread Reply:* Different beast but the Microsoft answer to mobile VPN
*Thread Reply:* On that, as it’s app layer proxy, does this work with native apps / WKWebView / UDP trafic?
*Thread Reply:* My understanding of Azure App Proxy is that it only works for webApp (http/s) but doesn’t work with native apps. If you need per-App VPN then you will need to look at third party VPN vendors.
*Thread Reply:* Azure App Proxy can work for native apps too. Not for all apps but can work.... VPN is more generic and should work across almost anything, Azure App Proxy less so, but still quite useful and easier to maintain than VPN
*Thread Reply:* Azure proxy requires the sdk for apps, this is why I ask for WKWebView
*Thread Reply:* WKWebView is safari embedded in apps
*Thread Reply:* We have deployed netmotion for our intune customers. Couldnt recommend it enough. Microst and Netmotion deepened their integration earlier this year.
*Thread Reply:* I setup per app vpn with F5 , pulse secure and netscaler
I would like to use the “Operating system build number” in an Intune dynamic device group to target Zebra OS updates to devices needing this. I don’t think this is currently possible thus I could use your support on user voice. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/39958801-ability-to-use-os-build-number
*Thread Reply:* Done as well. In the mean time you could try AirWatch or SOTI which both have supported this for several years
*Thread Reply:* You can have complex filter based on BSP and other criteria
*Thread Reply:* Yes I know SOTI very well it’s really nice and very simple Zebra MX integration 🙂
New to InTune... can’t figure out where, in Android Enrollment to set up Work Managed profile. I must be missing something obvious?
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/enrollment/android-work-profile-enroll
The issue is only the work profile option appears. Work managed is not an option. Any thoughts?
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/enrollment/android-enroll
*Thread Reply:* Work managed profile = COPE? Intune doesn‘t support COPE.
https://bayton.org/2019/10/why-intune-doesnt-support-android-enterprise-cope/
*Thread Reply:* But Google will change COPE to an enhanced work profile with Android 11 which will probably be available in Intune.
*Thread Reply:* @Nico Hermeling Isn't COPE a hybrid of Work Profile and Work Managed? That was my understanding, but I could be completely mistaken.
*Thread Reply:* The real issue is that "Android Enterprise fully managed" is not appearing as an option. Per
*Thread Reply:* So the question is why is "Android Enterprise fully managed" not appearing, in accordance with the Microsoft documentation?
*Thread Reply:* COPE is a work profile on a fully managed device.
*Thread Reply:* Have you configured the managed google play yet?
*Thread Reply:* Are the other enrollment options available? Corporate-owned dedicated devices and Android device admin?
*Thread Reply:* Hm...is it an Intune standalone tenant?
*Thread Reply:* Or have you used Intune hybrid with SCCM?
*Thread Reply:* Standalone, but I just noticed the MDM authority is unknown.
*Thread Reply:* This is what we see in our test tenant
*Thread Reply:* This is the only thing we see in the affected tenant:
Is it possible to manage NFC when using AE dedicated devices in multi app kiosk? We notice NFC tag is scanned ( device bleeps ) but app doesn’t respond to input from NFC tag.
*Thread Reply:* There is a setting for device owner restrictions where you can block or leave NFC. It doesn’t sound like it’s blocked though if you can hear bleeps…
*Thread Reply:* You mean the beam data using NFC? Doesnt do much, must say i dont know exact config customer is using. I am able to transfer data via NFC in my config though. Might it be an app related issue? They said using the same app in DO ( no kiosk ) works fine
Hi folks, any idea why this could happen on a domain joined Win10 device when trying to configure hybrid join.
*Thread Reply:* Domain device is managed with GPO and no SCCM. All Intune settings seems to be configured ok. MDM authority set to Intune, all users are allowed to enrol devices and MDM user scope set to “All” and MAM scope se to “None”.
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current take a look at this thread. It has helped me numerous times
*Thread Reply:* sorry i totally missed your other picture (dark mode and a dark photo are not good for my eyes). Looking at the join status, it is already joined to AAD hence the issue you are getting?
*Thread Reply:* According to that screenshot it is. But I can’t see it in Intune > All devices
*Thread Reply:* do you see an account setup in the workplace settings on the device? If so, perhaps try remove it and redo it
*Thread Reply:* is that in “Access work and school” ?
*Thread Reply:* In the Event Viewer, look for event IDs 75 (successful enrolment) or 76 (error)
*Thread Reply:* Also, using dsregcmd /status, look for AzureAdPrt : NO/YES. If it's NO, that means your user didn't get its SSO Primary Refresh Token which is required to auto enroll the device in Intune (via GPO for example).
*Thread Reply:* Would that be User Device Registration events ?
*Thread Reply:* Enrollment events are located in Application and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider/Admin
*Thread Reply:* AzureAdPrt = YES AzureAdJoined : YES Double checked the Azure Connect and if password has is enabled all looks good. No events with ID 75 or 76 detected.
*Thread Reply:* I’m getting “automatic registration failed at join phase 0x801c001d” in Applications and Services Log > Microsoft > Windows > User Device Registration
*Thread Reply:* which seems to point to DSREGAUTOJOINADCONFIGREADFAILED (0x801c001d/-2145648611) • Reason: Unable to read the SCP object and get the Azure AD tenant information. • Resolution: Refer to the section Configure a Service Connection Point.
*Thread Reply:* but everything is looking good in there as well
💸💸💸 $20 bounty via PayPal if your advice helps me to get this ☝️ resolved 💸💸💸
Anyone else testing / evaluating MEM with Apple User Enrollment? Feature is sitting in preview for a long time now but we do still miss some very basic functionality (like installing managed apps from company portal app. How about your experience with MEM + Apple User Enrollment so far?
most are probably aware but thought i'd just highlight the current intune portal/blade will be retired on the 1st August. It will be moving to https://endpoint.microsoft.com/. I for one am certainly glad of the new look and no more blades!!!
*Thread Reply:* Need to start using it more. Still using the old one.
Intune - SCEP certificate - Android Enterprise Work Profile devices. Profiles stays pending… Trying to put Root, SubCA and SCEP certificates + a wifi profile onto Work Profile devices, but the policies stays as pending with no messages or error/return codes whatsoever. I have the similar policies installed on both iOS devices and also Android Device Owner devices. What have I missed and where can I find clues?
I’m looking through the device logs from Company Portal, but there are no mentions of the profiles I’m trying to add.
Bonus info: I’m testing on various Samsung devices running from Android 8.0 to 10
*Thread Reply:* @TGR did you assign the root + int + scep profile to the exact same group? Must be exactly the same groups. Otherwise scep profiles will stay in pending mode....
*Thread Reply:* @Peter Mohr ahh - that’s great knowledge. I think we had just done that by default. I also just heard today that you can’t push scep profiles to All Users but you can push them to All Devices... I can now also add that the original profiles available for trusted cert, scep and WiFi for Android enterprise (created maybe 1/2 year ago) didn’t take into account if it was for a work profile or a device owner, so the original profiles that was tested functional for work profile enrolments around February now just stays pending... So it seems as if the original profile was changed to a device owner profile and didn’t stay as an all round AE profile working for both DO and PO. So after creating new profiles with the exact same content just specified for work profile it started working. I still haven’t found the place where MS have written which enrolment type those profiles are for - it just states ‘Android Enterprise’... sigh
*Thread Reply:* I've pushed scep profiles to "all users". no problem.
*Thread Reply:* Strange - just heard the opposite today where it worked just changing the assignment to All Devices… Well - maybe different builds have offered different experiences… not sure when the guy I spoke with today had tried All users.
Has anyone enabled this setting in endpoint manager to give users access to the play store on a fully managed device. I annoyingly didn't take any test devices home before lockdown so i can't test anything. Just wondering whether people have come across any implications when enabling this.
*Thread Reply:* I haven’t tested it myself, but I’m pretty sure I wouldn’t do it in a prod environment either as it defeats the purpose of making sure you know what’s installed in the work ‘container’ that is the full device in a device owner setup
*Thread Reply:* @TGR totally get that but some customers want a COPE like solution which this kind of does just without the work profile
*Thread Reply:* @Ajay Patel What I have tested though is similar - adding a personal Play account next to the managed one, so you have the personal apps lying next to the corporate ones. At least this makes sure that if you have DLP settings allowing for managed apps to only talk to other managed apps, the personal apps can’t talk to the managed apps. This, I guess, is similar to the old DA approach.
Anyone got their hands on the hololens 2 yet? How about enrollment into Intune, any experiences?
I've read the below line about 100 times now and still dont understand what the policy actually does? This is in the password section of a work profile restriction policy These password settings apply to personal profiles on devices that use a work profile.
Can someone dumb it down for me if they know 🤣
The password settings are pushed to the device, not the Work Profile
So users will end up with a device password, not a work profile password
*Thread Reply:* that makes a lot more sense! thank you @Mark Vonk! so just to clarify, this will override whatever device passwords are already in place if they don't meet the requirements.
*Thread Reply:* Correct. If the password conforms to the settings, they can keep the current password. If it does not conform, for instance the password is not complex enough, etc., they will be prompted (Company portal app) to create a new one
A work profile password can be set in the Work profile settings of the configuration.
is it possible to change the device name for android and iOS devices? i know with other UEMs you can use wildcards but everything online seems to relate to only being able to do it for Autopilot devices.
Okay so I just got confirmation that we are going to start the process of moving away from WS1 and over to EPM so does anyone have a guide or chart that breaks down the pro's and cons of MAM vs MDM with EPM? I've been tasked with figuring out what functionality we would lose if we just stuck with MAM this time around instead of doing a full enrollment again. I'm going to assume things like conditional access to eliminate the need to do 2fa to login to company sites doesn't work with MAM but please tell me if I'm wrong as we are just starting to look at Single Sign On as a company so that stuff is all new to me at this point. Thanks in advance
*Thread Reply:* @Boe There is a setting in conditional access policy to “Require app protection policy”. But it is somehow half-baked. For example only some apps are supported - https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-grant#require-app-protection-policy Regarding MAM only vs MDM. Do you need to deploy certificates / Wi-Fi / VPN profiles to your devices? What about jailbreak/root detection, integration with some MTD solution etc? BTW…. We are just piloting our tool for migration from previous MDM (currently WS1, MobileIron) to Intune. It consists of mobile app and webservice, and includes possibility to unenroll device when it is suitable for the user from the mobile app, customisable guidance/instructions inside the mobile app and full migration visibility = reporting a about remaining devices, migrated devices, devices lost from old MDM but missing on Intne side - we are matching records against Intune device inventory. Let me know if you are interested in more details.
*Thread Reply:* hey @Boe been off Slack for a bit and just saw this. We are heading down this same path. It's 100% financially driven. The flat structure, the scope tags, conditional access, I can see a way to make it work but its not going to be pretty.
Given that app proxy offers an equivalent per app / vpn function: I added a lob app but don’t see any flag to tell the app to use appproxy. Any ideas? Cheers
*Thread Reply:* The app must be build to support this. The end-point should possibly be changed from the internal fqdn to app proxy fqdn
*Thread Reply:* Thanks @Peter Mohr so in our migration scenario we’d have to ask Developers to redevelop all lob apps it seems and build in the app proxy fqdn. I’ll hunt for some more convoluted ms docs. Ta.
Is there any way in Intune to configure Outlook for iOS to sync contacts to the local Contacts app without using iCloud sync? From what I have found the only way would be to ask the user to disable the iCloud contacts sync before enabling contacts sync in Outlook. But that would also mean that the user’s private contacts will no longer sync with iCloud.
Enabling the contacts sync using iCloud is rather messy I think since not only will all business contacts be stored in iCloud but they will also be available on all other (unmanaged) i-Devices the user has.
*Thread Reply:* Yeah. Don’t do this 🙂 If you must, then set up a different native mail/EAS sync and only allow contacts (or allow all types depending on your requirements)… Use certificates when possible 🙂
*Thread Reply:* @Almar Diehl are you talking about BYOD devices? If so maybe look into Apples recent "User Enrollment" option unless that's not available in Intune yet.
*Thread Reply:* @Peter Mohr but allowing native mail/EAS also means that we have to change conditional access and allow the native mail app....
@Boe we are testing this with user enrollment, same issues with contact sync.
*Thread Reply:* Yes you would need to allow native client. You could do this with certificates only (thus blocking unmanaged setups) and also only allow contact sync and not mails too
*Thread Reply:* Interesting I thought when you used "user enrollment" it kept the day to separate including creating a separate corporate iCloud account.
*Thread Reply:* Yes but we are not takling about user enrollment here :-)
does anyone here use Okta as their iDP and use Endpoint manager? Is it normal when a user enrols, they have to sign into Okta twice during the enrolment using Android Enterprise
Hey All, interested in peoples thoughts on best practices when implementing policies with Endpoint manager. When do you use user groups over device groups and vice versa, or do you steer clear where you can an utilise security groups for everything.
*Thread Reply:* User groups for me. Zero-trust approach with the emphasis on User Identity.
*Thread Reply:* There are some exceptions. But I would plan to assign policies to the user Object.
@Travis Reeves has joined the channel
Hey everyone we have an issue that is causing us to have to now restrict the user of the camera inside the work profile on a specific app on specific Android devices (sounds fun right). I know how to accomplish this in WS1 but before we buy more licenses to accomplish it and start enrolling users I was tasked to see if it can be done in EPM since we were planning to make the jump to it next year but if we have to buy licenses one way or the other we are considering making the jump sooner for these devices. Thanks in advance for any insight you can share with me.
*Thread Reply:* i dont believe Microsoft have ever implemented per app permissions. Just all apps that support it. What you could try (a little long winded but potentially worth a shot). Create your payload is WS1 and tailor your permissions to what you need, export the XML and create a custom configuration in EPM and upload the XML file. Never tested whether this would work myself but thought it could be worth a shot
*Thread Reply:* Thanks Ajay honestly this is my fear of us making the switch is that a lot of stuff we do now we won't be able to do anymore. Since I don't have access to EPM at this point to experiment I have just been digging thru documentation trying to find a way to do it but haven't seen anything yet. Since these are BYOD devices I can't break the camera as a whole and its needed for some of the other work apps but this specific one has a data leakage issue on certain android models so until the dev gets that fixed this is our work around.
We recently set up DEP for our iOS devices. The devices are showing up in ABM and syncing with Intune. The devices are showing up in the devices section as having a profile assigned to them. We have only set up one profile and it is set as the default profile. When I turn on a device it shows my companies information and goes to the remote management window, but when I select next it says "The configuration for your iPhone could not be downloaded from 'Company Name'. Invalid profile".
We renewed the token, removed the single app mode and attempted again. Enrollment still presents the same error: "The configuration for your iPhone could not be downloaded from 'Company Name'. Invalid profile.". This is an Intune enrollment via ABM not Configurator. This is also a User Affinity profile enrollment.
Any thoughts? Anyone else have this experience?
*Thread Reply:* Did you try to set it up before config was finished or do you try to restore or sync old backup/device? Sometimes the device gets stuck this way and wont work until you factory reset or reinstall iOS.
*Thread Reply:* Right — as Wolfgang says, sometimes this shows an issue with your test iPhone, not the MDM. Use Configurator to fully erase all content and settings, or try another phone.
Another thing to try is to change the DEP options in Intune to skip as few screens as possible — i.e. making this as vanilla a profile as possible.
If things are really bad, try to repeat while the phone is connected to a Mac, with Console open on the Mac. Console will show you the iPhone’s internal logging. That will spew a lot of info, but it may capture the specific error you are seeing.
*Thread Reply:* I had the same issue because the MDM authority was set to Office 365 (i.e. not Intune). Changing it to “Intune + Office 365” solved the issue,
Does anyone know if there is a way to integrate a third party vendor certificate authority (like Cisco ISE) with Intune so we can leverage user certificates for Wifi profiles with Intune! We have no On-Prem environment, so no NDES server or Certificate connector. I doubt there is a way.
*Thread Reply:* Cisco ISE is not a certificate authority: it is a Wi-Fi controller. To integrate with Intune you will need a separate CA, Microsoft based. You do not need an on-premise one, you can create one in the cloud. For example SCEPman: https://oliverkieselbach.com/2019/07/02/the-easy-way-to-deploy-device-certificates-with-intune/ After that is set up, you add the necessary config on Cisco ISE to trust the client certificates from that CA
*Thread Reply:* Awesome info thank you Mark! 🙏🙏🙏 Since an active Azure AD Subscription is needed, there are extra costs right?
Ah ok.. someone told me today that the ISE is able to issue certs just like MobileIron Core. Obviously he was wrong! :facepalm::skintone_2:
*Thread Reply:* Not sure where you have got the information that ISE is not able to issue certificates, but you are wrong. You can setup Cisco ISE to issue certificates like MobileIron Core does!
*Thread Reply:* Cisco ISE is a Wi-Fi controller, not a CA. Just like MobileIron Core is a MDM server, not a CA. Sure both have an option to set it up as a CA, but it is not the primary function. Intune can’t use ISE as a CA. It can only interface with Microsoft (NDES/SCEP) based CAs. Hence you need an on-premise CA or something like SCEPman
*Thread Reply:* U can connect cisco ise directly with intune i believe. https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/adminguide/biseadminguide21/biseadminguide20chapter01000.html#task820C9C2A1A6647E995CA5AAB01E1CDEF
Anyone here have experience with exclusions in the Intune App Protection “Save Org Data” settings? Have a VIP who needs to be able to same photos to the iOS photo library. I’ve tried a few url schemes such as “photos-redirect” in the exclusion to no luck
Any ideas how we can outbound proxy all Edge traffic. With WS1 and Browser all external traffic went via the Tunnel which was configured with our outbound proxy, not sure how we achieve the same. Thanks
*Thread Reply:* Do you mean having Edge as the browser, accessing internal websites? If so, you can use a 3rd party VPN or Azure Application Proxy
*Thread Reply:* Alternatively, you could leverage the global proxy payload, but it is a device wide proxy as opposed to Edge app proxy.
*Thread Reply:* Thanks guys. App Proxy is in place, so to confirm all outbound Edge traffic goes via the App Proxy as long as app proxy is configured accordingly with an outbound proxy ( for audit purposes)?
*Thread Reply:* What do you mean with “outbound edge traffic” and “outbound proxy” ? Do you have an outbound proxy configured in the Application Proxy? Like this: https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-connectors-with-proxy-servers
If so, what do you mean with outbound edge traffic exactly?
Another interesting doc on AAP and attacks: https://techcommunity.microsoft.com/t5/azure-architecture-blog/detect-attacks-using-application-gateway-and-web-application/ba-p/1579861?utmsource=dlvr.it&utmmedium=twitter|https://techcommunity.microsoft.com/t5/azure-architecture-blog/detect-attacks-using-application-gateway-and-web-application/ba-p/1579861?utmsource=dlvr.it&utmmedium=twitter
Also, have you configured Azure AD conditional access rules for your AAP web application? Like so: https://docs.microsoft.com/en-us/cloud-app-security/proxy-intro-aad
*Thread Reply:* Thanks Mark. I’ll have a read. Basically we need to be able to see what sites users are accessing via Edge. So AAP needs to be able to point to an outbound proxy that can do this function.
Hi guys. Have anyone succeeded wrapping applications in Intune?! I mean using the Intune wrapping tool, to change .pkg format apps to .intunemac apps which is the only compatible format to succeed adding Line of business or in-house macOS apps on Intune. I tried to do so but the Intune wrapping app keeps closing the process immediately after been launched. I went through the apps release notes and it says version 1.0 of the app only works on mac PCs with OS versions than Catalina, but I still experience the same result with a mojave mac. Can anyone help me out?! Thanks in advance guys. [P.S: A screenshot with the display of the intue wrapping tool app launched in the mac Terminal app].
*Thread Reply:* Out of curiosity why are you trying to wrap apps?
*Thread Reply:* @Ray Domingue because that’s the only way how to deploy macOS apps (outside of App Store) to macOS devices via Intune.
*Thread Reply:* I would rather avoid Intune for that and use Munki for app deployment. Use Intune just for munki client instllation.
*Thread Reply:* Thanks for the insight @Ladislav Blazek. I will check it out. any complementary information is welcome**
*Thread Reply:* If using Munki to deploy apps... they why having Intune....??.... (This is a real question)
*Thread Reply:* Yes the wrapping tool works fine for me. You just have to use the -c and -o options.
I agree with @NicolasR about Munki, it's a lot of overhead to maintain, and the server infrastructure for the app installs too. And you lose the benefit of management from a single console (well, two now that they split Intune off from the AAD portal for some reason 🤨)
*Thread Reply:* Thanks guys... I finally succeed to make it work. I had to enter a chmod command to grant executable rights to the app.
Has anyone been able to deploy the system camera of Samsung AE devices via add system app in Intune? This is not working. Double checked the package name, but the camera is not being deployed!
*Thread Reply:* I think we have a case like this with a customer and Mobileiron... looks like it was Samsung issue but not 100% sure....
*Thread Reply:* Yes correct - with MobileIron this still works 100%. No way to deploy this with Intune while using Outlook. The weirdest thing is: If we deploy Outlook with MobileIron Core, the System Camera will be removed even though the lockdown policy which worked before is still attached. I am getting the feeling this is related to Outlook. Can anyone confirm this?
*Thread Reply:* I confirm your scenario will not work. We are using OneDrive or Office app to get the camera feature working under a Work Profile. Ultimately, we're also deploying Open Camera towards those devices when our customer is not willing to use OneDrive app.
*Thread Reply:* Thanks for your feedback.
Hello, is any of you using 3rd party Patch Management software for all 3rd party apps to keep them up to date on Windows 10 machines?
Does anyone know how Intune determines if a package installs successfully? Mine deploy fine but they stay in "Pending" in the console, and they deploy over and over again once a day. Which is really annoying.
I first thought it must see a .APP bundle in /Applications but some of our third-party apps don't work like that. So I've made a custom placeholder .app for each of those and include it in the custom packages (with the same bundle ID and version). They install in a folder under /Applications. But this doesn't seem to work. Still showing pending 😞 and looping. Also, I made sure the installers don't generate errors. And they are properly notarised and signed, and so is the custom .app of course. I'm a bit lost as what to do next, and their support doesn't really know Mac very well.
*Thread Reply:* I have the same issue right now. Any help is welcome. 😩
*Thread Reply:* Ok at least I'm not the only one, will keep you up to date what I find @Pierre_B!
*Thread Reply:* By the way do you also see it installing over and over again or does it not install at all?
*Thread Reply:* Yeah! Still pending... nothing installed on the target pc.
*Thread Reply:* That's a different problem then, for me it installs but it keeps installing it every day
*Thread Reply:* By the way, what kind of package are you building? For me raw packages wouldn't work, only distribution packages
*Thread Reply:* I tried for both packages types but none of them will go through with the install afte provisioning.
*Thread Reply:* How did you manage to leverage the installation on the mac PC??!
*Thread Reply:* One of the problems is that Intune must see a .APP going under /Applications
*Thread Reply:* But not all applications work that way (like McAfee Agent that uses a shell script to install)
*Thread Reply:* So I made a "dummy" app that I install in a hidden folder
*Thread Reply:* It all works but it keeps repeating
*Thread Reply:* You also must sign and notarise everything
*Thread Reply:* Alright I get it i didn't go through the notarization process. Can you give up some steps to go ahead with notarizing in-house apps please??!
*Thread Reply:* Yes, first of all you need a Developer ID type certificate
*Thread Reply:* The old style for Mojave "Installer Distribution Certificate" does not work with notarisation
*Thread Reply:* ```productsign --sign "Developer ID Installer: <certificate name>" "$1" "Signed/$1"
xcrun altool --notarize-app -f "Signed/$1" --primary-bundle-id com.company.pkg.$2 --username "<my apple id>" --password "<my password>" -asc-provider <my team ID>
echo "Wait for email"
read
xcrun stapler staple "Signed/$1"
cp "Signed/$1" ~/Package\ Build/Raw\ Packages
~/IntuneAppUtil -c "Signed/$1" -o ~/Package\ Build/Intune\ Packages```
*Thread Reply:* This is the script I use to notarise and sign it
*Thread Reply:* It needs 2 parameters: One is the .PKG name, the other is the last part of the bundle ID (com.company.pkg.xxxxxx)
*Thread Reply:* Then I wait for the email to come in saying it's notarised, press enter and it continues
*Thread Reply:* Once I get it fully working (without the looping) I'll make a blog post to explain the whole process
*Thread Reply:* Only the team owner can create developer ID and "Developer ID Installer" certificates. The latter is what you need
*Thread Reply:* However you need the developer ID one also if you want to build a custom .app to include
*Thread Reply:* @Pierre_B not sure if you saw this
*Thread Reply:* Thanks for the info @Tycho. I will look after this!
COPE issues… Am I the only one who experiences the unability to install Company Portal and hence use outlook (or other office apps with app protection policies) when leveraging the newly born COPE functionality in Intune (Corporately Owned Work Profile)?
*Thread Reply:* App Management: App assignments, app configuration, and associated reporting capabilities. Support for app protection policies will be added in a subsequent preview update.
*Thread Reply:* https://techcommunity.microsoft.com/t5/intune-customer-success/intune-announcing-public-preview-for-android-enterprise/ba-p/1524325 might be best to read this for initial functionality
*Thread Reply:* Thanks for that @Ajay Patel - makes sense 🙂 Do you know if it’s stated anywhere if backup and restore will ever be an option for users on COWP devices?
*Thread Reply:* I’m still prompted for installing Company Portal in Outlook even when there are no App Protection Policies applied to neither device nor user 😞
*Thread Reply:* in AE you need company Portal for MS Apps to work.
*Thread Reply:* But Excel works fine, so it’s not all MS apps..
*Thread Reply:* maybe you dont have a app protection policy for Excel? thats strange, since company portal is a hard requirement for App Protections policies to work on android.
*Thread Reply:* https://docs.microsoft.com/de-de/mem/intune/fundamentals/end-user-mam-apps-android
*Thread Reply:* But I don’t have any app protection policies setup for neither excel nor Outlook for the user I’m testing with, so I shouldn’t experience any app protection policy influence. This is why I’m wondering why I’m prompted for CP in the first place?
*Thread Reply:* conditional access maybe? there are conditions which require management app like company portal too.
*Thread Reply:* sometimes such a trivial mistake when testing is setting the assignment to all user/devices instead of a selective group, have you checked that?
*Thread Reply:* We’ve only tested with assigning to single groups and not all users/devices. Also Conditional access is not assigned to any groups where our test user/device resides.
*Thread Reply:* last thing i could think of is MFA. but then dont know
*Thread Reply:* Unfortunately that’s not the culprit either - MFA is not setup in this test scenario..
*Thread Reply:* But have anyone of you guys had any luck with COPE and Outlook (without A.P.P.)?
*Thread Reply:* @Tycho how is that going for you ? What is your definition of success for this pilot? I’m thinking can you apply all CIS benchmark controls with Intune and how many of those are native and how many are via script or workaroud.
*Thread Reply:* @ZL Sorry I was away. For me the definition of success is having it implemented without issues. For the moment I'm seeing several major blockers:
• App distribution is super difficult. Even when I got it to install apps, they constantly keep repeating the install (about once per day) • There is no OS version management (you can't force people to upgrade to the latest sub-version like you can with Workspace ONE) • DEP doesn't seem to work with Modern Auth still • The password compliance doesn't seem to affect local accounts Those are really the main ones for me. Knowledge of their support on Mac issues is also a weak point unfortunately.
Has anyone seen this error when users are enrolling their Mac into Intune? It happens regularly and I can't find the cause :(
Hi there, Azure Role question, hopefully this is the correct place to post, if not, please advise.
I've invited one of my admins to assist with Intune management, and granted him the following roles: Security Admin Intune Admin Conditional Access Admin
We did this about 3 hours ago, and as of now, when he goes to the Endpoint admin Center/Devices/Conditional Access, he gets a permissions error. Is this potentially an issue with security permissions not propagating to his account in time or am I missing a role?
*Thread Reply:* I’ve seen it taking to propagate for up to 24hrs and even longer. Do you have Intune license assigned ?
Getting this on an Intune tenant, anyone else getting this? 4 Special characters will get a lot of end-user-push-back.
*Thread Reply:* I've seen this with another MDM, but slightly different. If the user takes their time in the setup assistant, the payloads begin to land, and if you're enforcing a passcode, it won't let you pass this screen. My experience was enforcing a 4 digit passcode, but this same screen would ask the user to enforce a 6-digit passcode... and if you entered 4, it would take it... kinda misleading. Have you tried to see if you can get away with a passcode as defined by your payload? FWIW, I always skip the passcode screen in the DEP enrollment profile and give the user the hour to set it after they get into their phone. We have too many customer end-users who get all flustered in the setup assistant, and immediately forget what they entered... 😂
*Thread Reply:* Is it not part of a compliance policy?
PS The special characters is a bit much indeed 🤣 We just allow 6 digits but no "simple" codes, which means 123456 or 000000 etc is not allowed.
*Thread Reply:* So weird because the Intune Device Compliance Policy is not those settings… a lot more simplier than that.
*Thread Reply:* I have seen passcode requirement like this when folks are testing things or as a “default pain” profile when a device breaks rules (although in the pain case it usually is a 20+ char passcode). I would first chagne to something you know that meats the requirement then look in settings under the mdm profile and see if it is coming from your MDM or somewhere else.
*Thread Reply:* Mmm thanks for the input guys, I’ve bypassed things by ‘skipping’ the passcode screen during DEP. Didn’t try recreating a new DEP Profile which I know has resolved things in the past but would be worth a try for anyone searching this.
Why are iOS contacts such a headache with Intune? I know that Outlook provides a 1 way sync from the app to the device--so contacts added to the native iOS Contacts app are not synced back over to Outlook. What are you doing to help solve this issue?
*Thread Reply:* You can push an Exchange ActiveSync config to the native iOS app, that syncs contacts only. If you do, block contacts export in Outlook with an App Protection Policy.
*Thread Reply:* Yeah we've made a MS Form to make people choose between Exchange (native mail) and Outlook so they can't have both at the same time to stop the issue of double sync (and also user confusion!)
*Thread Reply:* IIRC Microsoft said the 1-way sync is an Apple limitation
*Thread Reply:* I do not see any Apple limitation that would force a 1-way sync..... many ActiveSync client’s can do two-way sync
*Thread Reply:* dont forget the Outook app doesnt use ActiveSync and uses its own Rest API. Its possibly a limitation in their API which they haven't bothered to sort yet.
*Thread Reply:* Sure, but years ago it was using ActiveSync too and nothing has changed with regard to contact sync since then. Regardless of protocols used, I fail to see how MS can blame Apple for this. Contact management in Outlook still sucks and is the only reason I use the native contacts app to sync with Exchange.
Is it possible to do a manual blacklist of apps with Intune? This would be for iOS and for Android COPE or work-profile...
*Thread Reply:* Ended up using the OEMConfig "Disable Application without user interaction" option. OEMConfig instructions for Knox here - https://uem4all.com/2019/07/09/intune-oemconfig/
Does Intune Education Licenses have the same feature set like „normal“ licenses or are there less features? We want to manage Android devices and we heard this is only possible with the „full device management experience“ and not with EDU licenses
*Thread Reply:* Intune for Education is included in the following licenses: • Microsoft 365 Education A5 • Microsoft 365 Education A3
*Thread Reply:* so if you have any of the above you would be able to use AE to manage devices.
Quick question surrounding app protection policies. I've created an app protection policy for a POC. The work profile is assigned (required) Outlook and Onedrive. I created an app protection policy which restricts screenshots, and "Send org data to other apps" is set as "Policy Managed Apps". I read this as, if the app is managed by Intune, then it's a "policy managed app"... is that how everyone else reads it or is that referring to all apps that are part of this particular app protection policy?
I ask because with it set like this, I go to share a file from Onedrive to say Outlook, and I get a window that says: No Available Apps, there are no apps on this device that your organization allows to open this content... contact your admin.
The odd part is this works fine on my Fully Managed (DO) Pixel... but not on my work profiled device.
*Thread Reply:* Policy managed apps are apps that have a protection policy applied. As far as I know, it does not have to be the same policy, just some policy. Are you sure both OneDrive and Outlook have a policy assigned and also applied on your work profile device? We have multiple customers with this setup, I have not come across your issue tbh
back 2 back "Intune" questions - under the impression E3 doesn't contain any intune licensing, yet we got 140+ devices enrolled into InTune via company portal app enrollment workflows. Can anyone clarify what MS actually means by InTune licensing as it's included in E5 but not E3 yet here I am with a bunch of E3 device enrollments
*Thread Reply:* What E3 license do you have? Office365 E3 or Microsoft 365 E3? Any other licenses available? Without a proper license bundle that includes, Intune assigned to the user, you can not enroll a device into Intune. This is actually a common reason for enrollment to fail.
*Thread Reply:* as @Mark Vonk says if you hav M365 E3 then that includes intune. See link below. Most companies i know have Microsoft 365 E3 and this is what you probably have if you are enrolling devices.
https://docs.microsoft.com/en-us/mem/intune/fundamentals/licenses
*Thread Reply:* what kind of devices do you mean? for some windows 10 oder Office365 features which are used by intune you need some additional licenses. its same when you look at conditional access and Azure AD which are needed/used together with intune.
*Thread Reply:* As others have said, you probably have the M365E3 license that is a combination of O365E3 and EMSE3
*Thread Reply:* Sorry for skipping out on these replies - thakn you for the feedback I'll have to double check!
A general question - is anyone copying the Exchange GAL to an dedicated mailbox and deploying that mailbox to the users? We use Outlook on Android and iOS and we need the caller-id for the GAL (without third party integration). Looking for your experiences.
#microsoftendpointmanager #microsofto365 hello, does anyone know if the app protection policy target Android Enterprise is only triggerd if the device is registered in intune, or does it also trigger if its Android Enterprise on another MDM?
*Thread Reply:* As long as the Company Portal is installed, it should be triggered.
*Thread Reply:* Ehm no, it won’t trigger. If you target the device type “android enterprise” it will only trigger on Intune managed devices. You will need to include “unmanaged” devices, to include devices managed by a different MDM. It will actually tell you if you hover over the explanation for Device Types in the Application Protection Policy; unmanaged devices includes 3rd party MDM vendors.
*Thread Reply:* arg overlooked intune at beginning
*Thread Reply:* Intune can't see if a device is Android Enterprise managed, or if it is managed with DA, unless it manages the device itself. If you read the description of all three types, it is pretty clear.
*Thread Reply:* More info here: https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policies#target-app-protection-policies-based-on-device-management-state
*Thread Reply:* Note the difference between iOS and Android too: for iOS with the IntuneMAMUPN set, even with a 3rd party MDM, it is considered a managed device. Android managed by a 3rd party MDM is never considered a managed device.
*Thread Reply:* thought like TGR, but you are right. the MAMUPN thing fooled my mind
*Thread Reply:* I missed the AE managed-part of it - You’re right, it would have to be for unmanaged devices. @Mark Vonk I didn’t know about iOS still seeing it as being managed if by a 3rd party MDM - thanks for pointing that out 🙂
@Suresh Gopi Kolluri has joined the channel
Has anybody got a good solution for deploying paid apps from the Google App Store to AE devices in Endpoint Manager? I appreciate that the following links say that paid apps aren't supported but I wasn't sure if their was a way to work around this?
https://support.google.com/googleplay/work/answer/6150398?hl=en&ref_topic=9561024 https://developer.android.com/distribute/google-play/work
At the moment I can only see two options:
1) Contact the app developer and buy the app from them as an APK file and add it as a line of business app (nightmare to maintain). 2) The app needs to be redeveloped to be free with a purchase option built in.
*Thread Reply:* 3) Have the developer create an “enterprise edition” which is free in Play Store, but privately distributed to only this organizations that out-of-band have paied for the app. This will be a new AppID/BundleID and then the developer assigns your OrganizationID to the deployment
*Thread Reply:* All the benefits of Play Store apps no APK files to manage
*Thread Reply:* In App Purchase (IAP) from free to premium model doesn’t really work for enterprise deployments
*Thread Reply:* That's really useful thanks, @Peter Mohr
I‘m new to Intune and I‘m currently testing some things for Android Enterprise. Coming from Workspace ONE I configured a Passcode profile for Android devices and expected the device to ask for a passcode during the enrollment. It didn‘t and instead it only informed the user about the need for a passcode, after the enrollment.
My question now is, is there an alternative way to enforce the passcode setting during enrollment? Something like a custom profile? Or is this something that can only be enforced when you use Zero Touch and configure the DPC part? I‘m a bit confused, so please correct me if I‘m mixing up different things that I need to consider.
*Thread Reply:* the best way to force this is to set a compliance policy and when you start creating it, it will look very similar to that of a profile.
*Thread Reply:* I have a compliance policy running in parallel, but both do not enforce it.
*Thread Reply:* I am stunned - can anyone else confirm that this is not working with Intune? Where are all the Intune lovers when we need them? 🤣
Hi all-looking for some advice on how others are deploying apps to different platforms in MEM. I’m piloting it with some iOS and Android devices, and I have some apps for both platforms applied to an AAD group of pilot users. Required apps install, and available apps are available to install so the expected behavior is there. The problem is, if I look at the Managed Apps section for a device, it shows all apps applied to the group, whether they are iOS or Android, regardless of the device type. As a result, some screens will show a red X/warning/error because an app is ‘Not applicable’ (i.e., Android’s version of Outlook shows ‘Not applicable’ for iOS devices). Also, it looks like two ‘versions’ of many apps are applied to a device, and may show ‘Available for install’ even though its really not. For example, it may be an iOS device, but an Android version of the app is applied to the group of which the user is a member and thus shows up for that device. I expect TONS of confusion from my helpdesk/support techs as it currently is. Any suggestions for how to clean this up?
*Thread Reply:* Copy that - I miss a way to deliver apps and policies with a rule saying that if part of both a device group and a user group, then applicable. It’s a mess when applying to user groups where both Android and iOS (and potentially Windows devices) are present. When possible I’m using dynamic device groups sorting on enrollment profiles and/or OS type and maybe even device models if this is a differentiator (iPhone vs iPad apps).
@Stephane Gregori has joined the channel
Hey all, we're currently rolling out Intune Fully-Managed Android devices. We have a list of apps that we assign as "Required" installs, so that the user gets those apps automatically. However we are seeing that when those apps have issues, the user is unable to uninstall the app in an attempt to uninstall/reinstall. This is a standard troubleshooting technique for our Helpdesk techs. Is this normal behavior for Intune to restrict uninstallation of the Required apps? I would think that the app would be allowed to uninstall, but then the Required assignment would push the app back down and reinstall. Anybody have some insight here?
*Thread Reply:* All I have to say is good luck. Intune & Fully Managed devices are like oil and water.
*Thread Reply:* Wait, what? I'm confused. Fully Managed is an enrollment type in Intune...
*Thread Reply:* @Travis Reeves works with iOS, but can't uninstall required apps for Android. Anybody have any insight here?
Hey everyone as I continue to try and replicate what we currently have in WS1 over in MEM I'm not seeing anywhere to change what the device name will get called as part of its enrollment. Is this something that can be done or are you stuck with user nameandroidforworkdate
*Thread Reply:* It depends on the device type - For iOS devices that using Automatic Device Enrollment, you can define the name in the enrollment profile, but for Android devices we are still hoping (unless something new has occurred)
*Thread Reply:* RIP yea I'm currently testing with Android just cause its less work to get up and going but I'll have to tackle the iOS stuff at some point as well. Not a big deal either way would just be nice to have it be something cleaner.
*Thread Reply:* i would love for this to be a thing on Android devices! i have asked this question many times hoping someone might have an update i missed to say this is now something you can control 😞
Hi All, testing intunes rendition of AE COPE and having some trouble with Company portal not landing on the container and as such not able to use outlook app in workspace - anyone else has had similary issues?
*Thread Reply:* I’m seeing the same thing - app protection policies are not functioning on COPE yet, but even without using those, I still can’t make Outlook work.
*Thread Reply:* i read somwhere you have to remove them alltogether from the user, testing that now - will let you know
*Thread Reply:* Removing all App protection seems to have worked - i was able to sign in
*Thread Reply:* OK - I tried moving them for the groups that the test user was part of with no luck. Seems I can try again..
*Thread Reply:* Hopefully MS will prioritize enabling this in the coming builds
*Thread Reply:* APP policies need the company portal app to work. On COPE with 3rd party MDM this works.
Is anybody using geolocation for managed Android/iOS devices in Intune? For managed Android DO mode devices, this isn't an option. For managed iOS, you have to enable lost mode first (which locks the iPhone) and then you can try to track the device (if it's online). Are there any services or free apps that you're using to help with this?
*Thread Reply:* That is pretty much expected behavior on the iOS side. I've heard of some small niche MDMs using their agent to wake itself up to avoid the location services helper from turning off due to how iOS operates, but my approach has always been you don't get to track iOS in real time without entering managed lost mode
• Running into some super strange issues turning on Conditional Access - We have it assigned to a single group that contains 2 people, yet seeing impacts across the entire environment - mailboxes disappearing, some folks receiving messages that their accounts cannot be found when trying to log back into mail for instance. No app protection policies or anything else that would restrict access. Any insights? Feedback from the wild: Some people got it to work through Microsoft Exchange • Some people got it to work with the Outlook app • Some people got it to work with the canned email app • Some people lost all their contacts, others didn’t • Some people lost their email signatures, other didn’t • Some people STILL can not get in because whatever we try to do, it requires them to log into Microsoft Office with their email address and their password won’t work. Tried “forgot password” and that won’t work. Will get “Microsoft Account Doesn’t Exist”.
*Thread Reply:* Use MSFT What if tool to see what CA policies affect which user https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/what-if-tool
*Thread Reply:* but what you describe doesn’t sound like a CA issue. Sounds like multiple different issues with the environment.
*Thread Reply:* Oh what a great tool! thank you @ZL
*Thread Reply:* Go to Azure AD, SignIns and look which aconditional Access policies were used on the recent Logins. Are the two people accounts used for integrating services? Maybe disabled legacy auth or broke exchange hybrid?
Only other change to the environment is everyone across the board was granted Enterprise Mobility + Security E3 and if they did not already have O365 E3, were upgraded to that license type
*Thread Reply:* maybe diabled legacy/traditional Auth in conditional access and still use it? (its an MS default security best practice)
Sorry this is probably gonna sound like a dumb question but can someone please explain to me how I remove a deployed policy from a specific device? In WS1 this is very easy to do when you want to test and see if the policy is what is causing the issue but for the life of me I can't seem to find this in Intune 🤣
in the policy you would need to create an exclusion group and add the users to it
*Thread Reply:* You just gave me 1 more reason to hate Intune lol thanks for taking the time to let me know though 😄
if anyone else missed this like i did, you can now blacklist/whitelist system apps using EPM! https://docs.microsoft.com/en-us/mem/intune/apps/apps-ae-system
*Thread Reply:* @Ajay Patel when looking at that when it refers to "Android Enterprise corporate-owned with work profile" is that considered different than the traditional byod Work Profile? I'm guessing so but just want to make sure I'm following this correctly as I see that managed a lot of places but very little mentioned of the BYOD scenario
*Thread Reply:* Yes correct corporate owned with work profile is essentially COPE (as it exists right now before Android 11) and Work Profile is considered BYOD
*Thread Reply:* Okay its starting to make more sense to me now why some of the stuff I could previously do with WS1 I can't seem to get to work correctly in Intune. Also makes sense why when I had a call with some MS Reps about the project they said they require all their staff to leverage "Android Enterprise corporate-owned with work profile" rather than the BYOD work profile. I get the feeling they truly want you to just use MAM for pure BYOD
*Thread Reply:* So is there any way in a traditional BYOD scenario Work Profile to surface up stock apps like the camera for instance?
*Thread Reply:* no the camera has always been one of the pain points in Work Profile for everyone... still a case of deploying something like Open camera
Anyone know how to restrict an Android Work Profile device to creating accounts in specific domains? I’m able to do this with Workspace ONE by allowing specific domains for Google accounts but havent been able to transfer this to Intune.
Here is the custom xml I use in WS1: <characteristic uuid=“823984a3-0b82-43f9-b275-dc44837f77a8” type=“com.airwatch.android.androidwork.app:com.google.android.gms”> <parm name=“authaccount:alloweddomains” type=“string-array”><array><string>company.com</string></array></parm> </characteristic>
Hey folks, what marks device as personal in Intune ?
*Thread Reply:* MSFT documentation states: “On personal devices, your organization can only see your managed app inventory. For corporate-owned fully managed and dedicated devices, your organization can see all of your app inventory.“|
I see a lot of complaints about Contacts within the Outlook Mobile App. Can someone enlighten me of the issues I'm going to most likely see as we transition? Is this more prominent on one platform vs the other or does this just suck for both iOS & Android?
*Thread Reply:* @Boe Welcome to the club. I'm the president.
*Thread Reply:* I don't want to join @Ray Domingue don't make me do it 😛 In all seriousness though what are some of the paint points people are seeing I'm just starting to build everything out so we can start testing and previously we were WS1/Boxer so curious what new headaches I'm going to see around this since it was pretty smooth sailing for Boxer. If I can find enough show stopper issues leadership is willing to back off on the switch to Intune I just don't think I'm going to find enough to slow this ship down.
*Thread Reply:* Android it's not going to be really of an issue. iOS, yes it's an issue and it's terrible experience. I've tried to find workaround, fixes, nothing. What we've done is educate our users to NOT create contacts in the native Contacts app. But all contacts should be created in the Outlook app. Otherwise, you'll be left with contacts saved onto the device itself and if it gets lost/stolen the user is S.O.L.
Also, rumor has it that MS is making some changes to this in regards to the Outlook app. A friend of mine knows one of the MS Engineers and he stated as such. But no date or further information was given.
*Thread Reply:* Interesting see I already have a bit of that issue now. We default all Android users to Boxer (no real good alternative with AE & WS1) but on iOS we default to Apple Mail (Boxer sucked at the time of our initial roll out) but now that its good we give it to them upon request. As a result we have fought the Apple bug where when you add an A/S account to iOS it changes the default contact storage location so when employees leave the company some lose all their contacts since they defaulted to exchange instead of their local device. Effing contacts screwed no matter what product I'm stuck supporting :D
*Thread Reply:* @Boe "Effing contacts screwed no matter what product I'm stuck supporting". I know it. I have heard of one major company that went to MAM only policies. What does this mean? The end user is responsible for their own device & contacts. If they loose their contacts (if by a lost/stolen phone or purchased a new phone), it's not I.T.'s responsibility. I really wish M$ would make some changes to this 1-way sync in this regard. I don't understand why it works on Android, but not MS. My theory is either M$ is just that oblivious & ignorant to the issue at hand ... or Apple will only release their API's to do Google but not MS.
*Thread Reply:* @Ray Domingue haha ya we just had an internal call to figure out our stance on MAM vs MDM. Honestly I feared we would get stuck offering both which just makes support more difficult and confusing for our desktop staff in my opinion. I'm sure its really not but most of our staff hate supporting phones at all so I really wanted us to choose one or the other so leadership said no to MAM as its just to limited compared to MDM which is what we do now with WS1. The icing on the cake was talking with some MS reps who told us point blank as employees they are not allowed to use MAM and actually if they are an Android user they have to wipe and enroll their device as corp phone just to get work apps/email on their phone which is a little crazy to me. I would have though normal Work Profile would have sufficed but I guess MS wants all the control 😂
Why is it that you can set a managed google play app as required using a device group, but if it’s set as available using the same group, it just doesn’t show up? for some reason available apps need to be assigned user groups to show in the managed play store.
*Thread Reply:* I've only done a little testing but I'm using a custom security group that only my test account is in and I have a mixture of apps some required some available/optional tied to the same group. What I noticed is that required do not show up in the list but do so show installed so waiting for updates to come out to validate they update correctly but any set as available show on the main screen.
Interesting read:
https://o365blog.com/post/mdm/
How are others handling MS Authenticator breaking the User enrolment model on iOS 14? Blacklisting it? Banning BYOD?
*Thread Reply:* Hey @AJ, can you elaborate on the issue? Are you trying to prevent regular device enrollments and only allow user enrollments?
*Thread Reply:* No trying to prevent the Oauth token passing into the personal APFS volume to authenticate unmanaged apps.
*Thread Reply:* I don’t think User Enrollment can be used with office apps without extreme data loss risk
*Thread Reply:* You’d be forced to rely on O365 App protection Policies, which are basically worthless.
*Thread Reply:* Ah ok, good point. I’m looking into User Enrollment and didnt think about that being an issue.
@Werner von der Ohe has joined the channel
Is there a way to configure a Google account in the work profile of an Android device? I assume this can be done via a custom profile. If Google accounts arent allowed then I dont think we can use Intune
@Tobias Kiesenbauer has joined the channel
I'm currently in the process of testing out Intune for MDM with the aim of migrating over from WS1. Currently in WS1 we deploy wifi profiles to Android Enterprise fully managed devices that contain manual proxy configuration. Within Intune if you are using EAP/PEAP it seems you can assign some form of proxy information, however for basic PSK auth it does not seem to be possible. I have hunted high and low and this just doesn't seem to be possible using Intune. I feel this is a fairly basic requirement so I must be missing something here. Can anyone shed any light on this or point me in the right direction?
*Thread Reply:* You are going FROM WS1 TO Intune for AEDO? Godspeed! (RIP)
*Thread Reply:* Care to expand on that? It's more of a business financial decision but the more ammo I have against it the better.
*Thread Reply:* It always is a business decision. No one goes and picks Intune because of its feature set lol, they pick it because they already have Office
*Thread Reply:* It might be fine for you if you are OK with doing everything through Play and all the downsides that come with Play. It probably also depends on your devices and apps - but usually Dedicated / Fully Managed type deployments have requirements for version control, change window / standardization / file system / direct APK, etc that WS1 can do but Intune cannot
*Thread Reply:* The downsides of using Play are not an issue for our use case which is good. The only real reason AEDO is being used is because the device is to be fully managed and the business didn't want to head down the whole work profile scenario. So there is no requirement for any kind of version control or change windows etc, it was from a user experience side of things.
*Thread Reply:* Well that sounds like a nice low stress job lol
*Thread Reply:* Until the move to Intune by the sounds of it
*Thread Reply:* Any other major stumbling blocks I may come across that would be good to know about?
*Thread Reply:* No Remote Control - but I was shocked to hear not everyone has that in WS1 either
*Thread Reply:* I think they have some kind of separate Teams app you have to use to get view
*Thread Reply:* Probably need some other folks who use Intune on the daily to comment. We've tried to implement with it a few times and they have all failed and devices ended up being unmanaged or requiring separate tools in addition to Intune but our requirements are more strict than yours
*Thread Reply:* Thanks for you input Drew. Hopefully can get some of the daily users chiming in as well, would be a big help.
*Thread Reply:* A range of Samsung mobiles and tablets
*Thread Reply:* I think we need a #helpimbeingforcedfromacapableemmtointune channel
*Thread Reply:* The bandwidth required to support such a channel would surely risk the stability of the internet as a whole
*Thread Reply:* I've been summoned I see 😄 Also I feel your pain @Elliot A I've said this at my company plenty going from WS1 to Intune is like giving me a company issued Porsche and then taking it back and handy me the keys to a Toyota Prius sure both can get you from point A to point B but one is far more enjoyable to work with.
*Thread Reply:* I will add that I feel like Intune is a good enough product if you just have basic needs (as a company we fall into this camp mostly) but once you need to do more than the basics it really falls on its face. I've spent the last couple of weeks trying replicate just the functionality of our basic BYOD needs and have fallen short on a number of things. I have to present my findings to management soon and then they can decided what compromises they want to make in order to save a buck. If I had final say we would stay with WS1 ya it costs more but its a better product all around. Simply put it took MS giving it away as part of O365 to really drive its adoption which to me says it all.
a Zero Touch/EPM question - i have noticed that there is now an expiry date on the token. Does this mean that if im using this token i would need to update the ZTE portal every 90 days with the new token details?
*Thread Reply:* For dedicated devices this is unfortunately the case.
*Thread Reply:* thanks @TGR thought this was the case 😞
*Thread Reply:* I guess it could be automated using the Customer API (https://developers.google.com/zero-touch/guides/customer/how-it-works) in a combination with the Graph API and Azure automation runbooks
*Thread Reply:* I already have been dealing with this with AMAPI and it's a huge pain in the ass. My condolences in advance 😅
is it possible to deploy a mix of Managed Google Play and LOB android apps into kiosk mode or would the LOB app need to be published into the Managed play store?
*Thread Reply:* Managed Play. Intune doesn't support APK deployment for AE 🙄
*Thread Reply:* Yep LOB is only supported by Intune on legacy DA. Microsoft didn't write a DPC agent for AEDO - they just leverage Google's cloud DPC and Google doesn't think you should load apps from any source other than Play
*Thread Reply:* thought that was the case... i know this question has been asked/answered a million times but if a developer hasnt published their app in the app store, how can they give us access to it so we can publish it via managed Google Play? i remember seeing something that we have to give them an ID or something
*Thread Reply:* https://arsenb.wordpress.com/2020/07/01/how-to-publish-an-app-to-customers-managed-play-store-with-android-enterprise/
*Thread Reply:* The developer would need to publish it to a Private Play store and then grant access to your Organization ID
*Thread Reply:* after which point it will show up as available app within your Managed Play Store for that Org ID
*Thread Reply:* OR if the APK is completely custom for you with a unique bundle ID then you could upload it via the Managed Play iFrame as a Private app
*Thread Reply:* the key part is it needing to be completely unique to you as there can only be one of each bundle ID in all of Google Play
*Thread Reply:* If the developer is providing that app to multiple customers then they would either need to publish it to the public play store, or publish it to the private play store and then associate it with each end customer’s organization ID for their EMM instance
*Thread Reply:* Note that even if they are publishing it on Private Play, it still has to adhere to all of the rules and requirements for an app on Play - unlike a LOB apk
*Thread Reply:* And it will still have to go through the review and approval process - so it could take several days before it actually showed up as available for your devices
Okay so random question cause honestly my mind is mush at this point and I'm sick of looking lol is there a way in this field using some variable I can have it name a device something specific but then add a number to the end of each so something like "Test0001" and have the number auto increase with each new enrollment
*Thread Reply:* I believe the best you can do is use %RAND:x% where x is a number of digits you want. So for example you can have test-%RAND:4% which would end up being something like test-4957
what would people do on EPM for shared devices (not dedicated/task devices) but actual devices. Typically on WS1 we would create a basic user to enrol the device for management of the device. (no email etc is needed but just for phone calls etc). Would i still need to create a user and just assign a basic intune licence to that user?
*Thread Reply:* For Android, I’d setup the device as AE dedicated and for iOS, I’d use DEP (ADE) without user affinity
*Thread Reply:* but they still need access to the managed play store to download whatever apps we have allowed. Can i do that with dedicated?
*Thread Reply:* The issue with allowing apps is that it doesn’t work with device groups (someone please prove me wrong as this is very annoying), but you can push out apps as required to dynamic device groups based on enrollment profiles for dedicated devices
*Thread Reply:* Ajay that's an issue I'm working thru now. In WS1 I create a generic account in our console for our limited user case iPads. We refer to them as our Kiosk config where it has a specific set of apps needed by a user/dept. Problem I'm running into is in WS1 we offer some apps by default and others we make optional for install thru the Hub. In EPM because we have 2FA on it basically makes the Company Portal worthless in this scenario unless someone can tell me a magic work around where they can use the CP app without 2FA.
Opening up a web link to a sharepoint site on an iOS device in a managed browser (Edge) prompts: “Action not allowed” ‘Your organization does not allow you to open this data here’ • it doesn’t paste the URL into Edge if I enter the URL to the site manually in Edge, it opens fine. In Safari, I’m prompted for credentials, but after entering them, I gain access
On Android devices with a web app setup using Managed Google Play, the site opens fine. There are no app protection policies setup at the moment, and no conditional access policies are setup specifically for either Android or iOS. Any clues to what might be happening??
EDIT: it seems that I get the error no matter which URL I put into the Web-link and force it open through a managed browser…
Rephrasing my question from yesterday: Weblinks opening up in managed browser (Edge) on an iPhone errors with ‘Action not allowed’. It’s not a problem on an iPad with the same setup…
*Thread Reply:* What come first in my mind is MDM solutions consider ipad (browsers) as desktop (browsers) since ipados13 release.
*Thread Reply:* But this seems like an issue with accepting the incoming data from the WebClip in the Policy managed app Edge. I’m not sure how it being a desktop browser should affect that… But I’ve had similar thoughts myself.
*Thread Reply:* Anyone having weblinks into Managed Browser Edge on iPhone that works as it should?
*Thread Reply:* MS seems to have fixed it over night. Today on both my tenants I have it working after Edge suddenly restarted..
does anyone know if its possible to see what google account was used to bind managed play with EPM? The connectors and tokens tab just shows the status but not the email address used
*Thread Reply:* Hey @Ajay Patel go to Devices > Android > Android enrollment and then click on Managed Google Play and you should see the account associated with it in the top right corner.
*Thread Reply:* thanks @Boe i knew i'd seen it somewhere!!
Has anyone setup a Linux VM to test Microsoft Tunnel yet?
@Preston Broderick has joined the channel
Can anyone share pain points they've experienced migrating from WS1 (or other) to InTune, please?
*Thread Reply:* I would just suggest reading thru the channel their are plenty listed at this point as we all get pushed by management to make the switch to MS free solution.
*Thread Reply:* • Re-Pushing config profiles to devices (simple way to fix things in WS1 for EAS profiles, etc. ) appears to be a non-existent option in intune presently.
• Compliance ‘check in’ with Intune is less frequent (in WS1 had it tuned to every 4 hrs iOS, a bit longer for Android). MTD options are a must for intune (‘must’ for any but seems much moreso with intune w/ the less frequent compliance check in options…)
Jon Towles’s write-up is on point with the major differences/considerations: https://mobile-jon.com/2020/07/13/evaluating-intune-against-workspace-one-uem/
*Thread Reply:* Thanks for these points and the article @JaR3. Appreciate the input!
*Thread Reply:* For Dedicated Device / COSU / AEDO deployments there is no method for direct installation of LoB APKs or file management for external configuration files. Everything is pushed through Managed Play which has a fair number of limitations for the mission critical device use case.
*Thread Reply:* We dont consider Intune to be a viable option for AEDO deployments and likely won’t until either Intune builds a custom DPC that supports direct APK installation and file management (unlikely) or Google improves upon Managed Play’s capabilities (more likely)
*Thread Reply:* Awesome - thanks for taking the time, Matt. Once I compile some information, I can post it hear, so it's in one location rather than trying to search through the channel.
*Thread Reply:* Is there a way to build a custom QR code for Intune DO enrollment, like pre-configure a wifi and disable/enable system apps?
is there anyway to stop the company portal app being pushed out to a fully managed AE device which is using the intune app? We don't have the company portal app assigned to any users to push out but still gets pushed out but obviously is not used in AE enrollments?
*Thread Reply:* not sure you can ‘not’ have company portal pushed to your devices (AE included) given it’s the required client ‘agent’ to enroll the device, drive compliance check-ins, etc. 🤷♂️
*Thread Reply:* but isnt that done through the intune app now? If i click on the company portal app it just gives me a prompt to open the intune app and from there i can see my device and sync it etc...
*Thread Reply:* I could be wrong about this Ajay but it was my understanding Company Portal app was replacing the Intune app. Similar to how Intelligent Hub replaced the Workspace ONE app for VMware/WS1.
*Thread Reply:* @Boe I could be wrong but i thought it was the other way round?
*Thread Reply:* Could be but when I went thru training two weeks ago they never mentioned the Intune app it was all Company Portal. Then again everything with Intune is about as clear as MUD 😄
*Thread Reply:* this is from the MS website
What's the difference between the apps and the website? The Company Portal app is available for Windows 10, iOS, macOS, and Android devices. It integrates seamlessly with your device's respective platform. The website version is accessible from any device and gives you the same, universal experience no matter what device you're using. The Microsoft Intune app is for corporate-owned Android devices and doesn't have a website.
*Thread Reply:* Interesting I wonder why they are offering 2 different apps. Seems like a bit of a waste of development and just makes things more confusing for admins. I'm gonna chalk this up as another reason why I feel WS1 is still a better product lol
*Thread Reply:* This year’s Ignite focused on MS making Company Portal the ‘one stop’ app portal for all clients (even as far as moving to Co Portal vs. separate SCCM app repositories in Windows in the near future). Co Portal would very likely be the app required (whereas a sep intune app would not, long-term)
*Thread Reply:* @JaR3 thanks for the info i haven't caught up on the ignite event yet so good to get some background info.
Hi all,
Wondering if some of you might have some thoughts/hands-on on the following two issues we experience during a MEM enrollment: -After enrolling an iOS device not all Microsoft suite apps like Word, Teams, Excel, etc. sign in automatically based on the enrolled user in the company portal. However on Android devices it works consistently smooth. On iOS devices it works for several apps but for several not (OneDrive, Teams).
-In this specific environment there is an on-premise Exchange server being used together with HMA. After enrolling a device through the company portal and opening the Outlook app, the user is asked to add the populated O365 account. If you try to add this account it loads for a while and after loading you are asked to configure an Exchange account (Exchange icon) manually: server, domain, username etc.. If you just delete this window by using the upper left bin icon, you are sent back to the add account window, if you try to add the O365 account again you are signed in automatically without having to add the account manually. Again this happens an iOS devices, multiple user, but on Android it works smooth.
Somebody any ideas, thank you a lot!
*Thread Reply:* Have you added a configuration profile for Outlook?
*Thread Reply:* We experienced this issue with a configuration profile deployed to the devices and without a configuration profile.
Anyone using Motorola or Honor with Intune? Seems to have issues with the enrollment - stuck during enrollment within the company portal app (Android Enterprise WP) Any ideas?
*Thread Reply:* Not much to go on with that chap. I have Motos in my intune though
*Thread Reply:* So you had no issues during the enrollment?
*Thread Reply:* Nope, what sort of issues might you be referring to and have you done any troubleshooting?
*Thread Reply:* Troubleshooting with Intune Enrollment? 🤣 The question is, how?
*Thread Reply:* Yes troubleshooting, still an Android device and if you're just pushing WP you'll have full debug abilities. Logcat, bug report, whatever visual errors or outputs the device provides.
*Thread Reply:* Can you provide any resources to that? I am familiar with ADB logcat. Bug report?
anyone noticing any issues with policies being assigned to devices in EPM today? Created a new iOS test policy but has been stuck at pending install for over an hour. Have wiped and resetup (using ABM/DEP) a few devices but the policy never gets applied. Apps download just fine.
*Thread Reply:* ignore customer hadnt licensed themselves correctly 🤣
@Celestino Cortés Bustos has joined the channel
Question for anyone using Company Portal and MS MFA is there a way with conditional access or something other setting to exclude specific accounts or a specific group from needing to use 2FA? Another thought was to disable the need for 2FA when connected to specific corp wifi networks. The team at my company that set it up are not sure and don't seem interested in digging in so I'm hoping someone in hear can shed some light on this for me 😄 The reason I'm needed this is in WS1 today we build what we call kiosk profiles where we use a local account created with in the ws1 console and those configs come with specific apps auto installed and then staff can open up the Hub and install additional approved apps if they need them. When trying to replicate this on Intune we are not able to as everything under the sun needs 2fa as it stands now.
*Thread Reply:* @Boe How many devices are you talking about?
*Thread Reply:* Currently we have close to 400 iPads running this way and their will be an order for at least another 300 more shortly possibly more for an upcoming project
*Thread Reply:* You can definitely exclude specific accounts and groups from conditinoal access policies. It’s pretty straight-forward--there are literally ‘Exclude’ sections in the CA policy settings. I think you could also do it based on specific Wifi networks, but I’m not 100% there. I know that you can specify IP ranges that do or don’t require MFA.
*Thread Reply:* You can exclude the “Microsoft Intune enrollment” from the conditional access rule that enforces MFA. This allows for device enrollment without MFA. I have had some issues with that though and had to create a ca rule that enforces MFA for all services EXCEPT the Microsoft Intune Enrollment service.
*Thread Reply:* See: https://www.techmymind.net/post/microsoft-intune-enrollment-service-in-azure-conditional-access
*Thread Reply:* Thanks for the info guys I appreciate everyone reaching out
Good Morning guys. Are you having problem instaling apk from unknow sources? My devices are android 10/9 (Enterprise dedicated devices) , whit a restriction profile alowing instaling apk from unknow sources. Help please....
*Thread Reply:* How are you actually installing the APK in question? Manually? Through an OEM tool of some kind? Also what is the behavior that you’re seeing? Is the APK installing and then being removed by Intune or is it failing to install?
*Thread Reply:* Manually. In profile restrictions i allow install any apk from unknow sources... but when the decives sync policies whit Intune, the apk gets deleted whit the message "Deleted by your administrator" is like Intune is not being able to configure correctly the policy on the device.
@Matthijs Schut has joined the channel
Anyone else seeing issues in Outlook on Android (Work Profile) where users are no longer able to add photos (from the photo roll in personal profile) to an email? I have a customer seeing this behaviour on a handfull of devices where it used to work but all of a sudden does not work anymore. No change in restrictions, profiles, etc. Re-enroll does not solve it. I am unable to reproduce it myself.
@Vlastimil Turzík has joined the channel
is there anyway to simplify the password EPM gives out when resetting a device passcode? The below generated password is just ludicrous!
*Thread Reply:* Actually that's a great question. IDK TBH.
*Thread Reply:* I dont know either, but I would love to find out!
*Thread Reply:* found this uservoice! lets get as many votes as we can haha! - https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/12516498-less-complex-android-passcode-while-resetting-a-pa
*Thread Reply:* Can't wait to see this on the roadmap for 2022! Lol
Reposted from Apple channel. What is the expected behavior when enterprise developed ipa-files expire? We’ve pushed out a couple of LOB apps through Intune that have expired but we’re out of luck with pushing out new provisioning profiles..
I believe I’ve been able to reenable apps before after they’ve expired in other MDM systems, but when trying to push out a provisioning profile in Intune, we get this error - do we have to resign the app itself if it reaches expiration date before pushing a new provisioning profile?
*Thread Reply:* if the provisioning profile is due to expire then this can be renewed via EPM. You will need to create a new profile under Apps > iOS app provisioning profiles > Create profile. However if the actual certificate is due to expire, then teh app has to be re-wrapped with xcode or similar with the new certificate and deployed out again. Hope that makes sense
*Thread Reply:* Thanks for the feedback - That makes sense, but the issue is that the provisioning profile already has expired but we’ve created a new provisioning profile, we just can’t apply it as EPM sees it as being expired (see the screen shot) even though the date hasn’t expired… The certificate hasn’t expired
A bit of comic relief.... I created a case with MS on iOS managed devices the Comp Portal app crashes everytime you open it up. This is the response I get back from MS: 1 - they want a screenshot of the app crashing. Do I send them a picture of my home screen?? LOL :) 2 - question in the email from support: "what is your ultimate goal?" Uhmmmmmmmmmm ... not to crash. Sheesh.........
*Thread Reply:* I was able to capture a screenshot of the crash for you
*Thread Reply:* @Drew Petersen BRUH! Hilarious!
Hi all, can anybody tell or refer to documentation what the expected behaviour of the Company Portal should be when an AAD user changes his AAD password or when a AAD password expires? In this particular case it is about iOS and Android. Thank you!
I am looking for a mail app for Android Enterprise where I can configure a second mailbox with Intune - preferably contacts only. Any suggestions?
*Thread Reply:* second Mailbox for Outlook ist targeted for November. ISEC7 MED is very popular for secound mailbox access. If you want full Mailbox as the user who owns it microsoft mentions Nine Work
*Thread Reply:* Outlook - For both Android and iOS?
*Thread Reply:* Do you have a reference for that?
*Thread Reply:* Am I blind? Cannot find anything in regards to a second mailbox
*Thread Reply:* 67273 and 67274 last sentence
*Thread Reply:* Update regarding this: Within Outlook on the private profile, delegated Mailboxes will be applied automatically, but within the Work Profile it’s not. What is the difference? Should this work?
I've got Corporate Owned devices coming in through ABM and KME. I need to block personal devices and allow BYOD contractor devices at the same time. I can't ask a Contractor for their serial #, and I can't use a device restriction to block personal devices. Contractor devices will never be in ABM or KME. There are probably a few ways to give a contractor access to O365 so I'm asking you folks, what's worked and what hasn't?
*Thread Reply:* Thinking out loud here. Could you enforce use of a PIN for any device that wants to enroll outside ABM/KME? Then have some sort of request profess that ends with the PIN(s) being provided to the contractor?
*Thread Reply:* couldnt you do this through enrolment restrictions? You have a priority 1 that blocks it all for all users then a priority 2 that allows it for a certain user group with the contractors in? Alternatively, app protection policies for O365 apps without the need for enrolment assigned to a security group housing the contractors?
*Thread Reply:* ya, I've been suggesting an O365 only enrollment but am getting little interest. Can you layer enrollment restrictions......... brb 🙂
*Thread Reply:* Order or operations question, if rule 1 blocks it for all users how does users get evaluated against rule 2?
*Thread Reply:* ah yeah i've just read it the top priority will always take place and ignore the rest and it doesnt have an exclusion group either.. i think your best bet is then app protection policies targeting a user group
Anybody else have managed iOS devices in Intune? The Comp. Portal app keeps crashing. Open it up, then crashes. Can't do anything. Not just me or my test account, happening to our users as well. Thoughts?
Everyone please vote here: https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/12516498-less-complex-android-passcode-while-resetting-a-pa
3rd question for the day ... w/ iOS 14 you can't uninstall required apps. Anybody else found a workaround with regards to this?
*Thread Reply:* This is due to change in EPM very shortly. i read somewhere yesterday on Microsoft website (just trying to find it and will add the link) that they will revert the changes made so that a user can uninstall a required app, however it will auto re-install due to the required setting.
*Thread Reply:* 10/21/20: We previously communicated that when using the “Required” assignment type for apps on iOS 14 devices, apps are marked as non-removable. As communicated in MC224749, based on the customer feedback, iOS 14 apps deployed as “Required” will become removable when the November update of Intune is released. Managed iOS devices need to sync with Microsoft Endpoint Manager to reflect the change in required apps. We are currently working on the ability for admins to toggle the setting in the UI and expect that feature to release in December.
How can I add a private Google Play app which was whitelisted from a developer for our organization id?
*Thread Reply:* You should be able to find it and approve it via the Managed Play iFrame
*Thread Reply:* There can be delays from the time it was approved to the time it shows up on your end however. You are just at the mercy of Google in those situations. I’ve seen this take a full day before so if it was just recently approved you might have to come back later
*Thread Reply:* Where should it appear within the iFrame? With MobileIron Core you would also add the app manually to the AppCatalog with the right Package Name.. will not appear there automatically either since it is not our app.
*Thread Reply:* You should be able to search for it directly within the Managed apps view
*Thread Reply:* You could also try navigating to the managed play console directly and pass in the bundle ID into the URL
*Thread Reply:* https://play.google.com/work/apps/details?id=com.android.chrome
*Thread Reply:* replace com.android.chrome with the bundle ID of the app that you’re looking for
*Thread Reply:* and see if you can access the app in order to approve it while logged in with the managed play account for the enterprise
*Thread Reply:* Excuse my french, but that shit worked like a charm! 😃 THANKS Matt! 😎👏🥳🍺
Question 1: Is there a way to enroll an iOS device in Intune without Username/Password, but like with QR-Code instead? MobileIron has that covered within Mobile@Work.
Question 2: Is there an iReg-Enrollment like with MobileIron Core where I don‘t need to download the app for enrollment but can install the profile via Safari?
*Thread Reply:* Question 1 Answer: I don’t believe there is a QR code option specifically, but if you are using ABM/DEP enrollment, you can specify to enroll with device affinity instead of user affinity, and that does not require a username/password.
*Thread Reply:* But no user affinity would mean no user relevant profiles like a mailbox for example, right?
*Thread Reply:* Right, well then it’s pretty much useless for normal user enrollments.
*Thread Reply:* Yep. The inability to do things across user and device ‘lines’ is a big hang up for me. For example, in MI, I can apply things to all members of ADGroupABC that have an iPad. In MEM, I can target the AD group OR iPads, but not both.
*Thread Reply:* Right thats what I miss too. Also device groups are soooo slow in MEM
Howdy folks. What are the best practices around creating MEM test environment ? Should one spin up a new tenant or a new subscription ?
*Thread Reply:* Do you guys test everything in prod ?
*Thread Reply:* it totally depends on the size of customer/environment. A lot of customers don't have the budget to spin up a test environment and test everything in prod. If you are testing in a prod environment you just have to be extra cautious of what you are doing especially if you are doing things with conditional access rules/compliance rules etc. You wouldn't want to go wiping/blocking existing devices
*Thread Reply:* What if cost is not an issue? What is the best practice from your point of view ?
*Thread Reply:* personally i would always opt for a testing environment. The problem you sometimes get though is your testing environment does not have the same configurations as PROD so you encounter different behaviours that you sometimes were not expecting. For the purpose of testing MAM, if you have access to a test environment then great, you should be able to test just fine. If not, just be cautious of the groups you apply the policies too
*Thread Reply:* Can you even get an new mem in an new subscription? I never heared that. Testing depends on what and the whats the impact. global changes should be tested in test tenant. User based changes can be tested in prod (so you can be shure the remaining config is really the same)
Hello, For outlook on Android emails are not syncing automatically. Everytime, I've to do it manually. It's an O365 setup. Any idea?
Hi All, could someone please explain to me why Intune shows two entries for each installed, managed app. One entry shows "Waiting for install status", while the other shows "Installed". This is happening for both iOS and Android...
*Thread Reply:* Because you’ve assigned both the iOS and the Android app to the user on the particular device. For some strange reason MS don’t filter on the apps actually available for a particular device even though what your’ve seeing is quite confusing…
*Thread Reply:* Some additional details from my experience: if you assign these to devices or device groups (instead of user or user groups), you can limit this to showing only the ‘right’ apps. However, device assignments take longer than user assignments, so it would sometimes be several hours after registration before an app installed.
*Thread Reply:* And I haven’t seen this myself, but I’m told that if you have Windows 10 devices managed in MEM and apps assigned to those users, it will actually attempt to install iOS and Android apps on the Windows devices. Had someone tell me they see device side logs showing this, and did see Android web shortcuts show up as desktop icons on Windows devices, which is astonishing to me.
*Thread Reply:* AND if you want to just make apps available, device groups won’t work - so you’d need user groups anyway… That would’ve been a way of cleaning up some of those double/triple managed apps…
*Thread Reply:* Right, so it's showing both the user and device assignment? Weird. The apps are assigned by user group, so not sure why it would show both.
*Thread Reply:* No, it’s showing that an iOS app named Outlook is assigned to User1 and and Android app named Outlook is assigned to User1. Even if User1 is on an iPhone, any Android apps assigned to that user will also show in the Apps list in MEM.
Hi All, is it possible to do GPS location tracking with Intune on Android? We are doing the COPE model, but is this possible on any of the models (COSU, COBO, BYOD?)
*Thread Reply:* on iOS only in lost mode and user will be made aware. Don’t think you can do it on Android. Maybe a 3rd party solution. I’m guessing this has to do with privacy laws in different countries
*Thread Reply:* https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/31982647-locate-or-find-a-lost-android-device
*Thread Reply:* Wow... thanks. Pretty basic functionality missing from the supposed "leader" from Gartner.🤔
*Thread Reply:* Gartner says Intune is the leader in Android EMM?! You gotta be kidding me! Anyone have a link to that report?
*Thread Reply:* where did you find that? from which year is that? complete bullshit
*Thread Reply:* https://www.microsoft.com/security/blog/2020/08/20/gartner-announces-microsoft-leader-2020-magic-quadrant-unified-endpoint-management-uem/
*Thread Reply:* Thanks - sadly it's just the chart from Microsoft rather than the report from Gartner. I suspect the report would show the lens that would lead to such selections so that we would see the criteria being biased towards Microsoft (probably including things like Windows PC/laptop management, etc)
*Thread Reply:* yes MS is a leader in UEM but not in Android^^
Hi, does anyone know if Android Multi-user kiosk mode is available on MEM?
*Thread Reply:* It should have been added to Microsoft Managed home screen, but I haven’t tested it yet.
*Thread Reply:* It is available in public preview. https://techcommunity.microsoft.com/t5/intune-customer-success/intune-public-preview-enroll-android-enterprise-dedicated/ba-p/1820093
Hello, is there a manual way to sync discovered apps ? According to documentation the sync happens every 7 days I wonder if there is a way to speed this up. Need to prove that changing device ownership from Corporate to Personal removes all personal apps from the list.
*Thread Reply:* No. I talked about this last week with someone from MS and they confirmed that there is not a way to speed it up nor to manually force a sync of discovered apps. In my testing, the list didn’t update after 10 days (at which point I wiped my test device for other pruposes). I was told this might have been because I did not have the device on all the time and it might have been off or offline during the attempt to sync the apps list.
Hi, I’m in a situation where I want to unenroll iOS (supervised and non supervised) devices from MEM and have Outlook immediately remove the org data it had stored previously (shown in the image). Currently I’m testing it with a non supervised device and the result is not what I actually expect. I unenroll using the “Remove this device” button in the Company Portal, I get a prompt that the device is now unmanaged and some apps (that I have configured in that way) are being uninstalled. Outlook is not supposed to uninstall itself since a user could also have his personal inbox in the app, instead I want it to remove the org data of the company inbox immediately. This is not happening, I had occasions where it was removed after a couple of hours, situations where it was not removed at all so access was still there and scenarios where I’d see a little banner at the bottom of the Outlook app asking me to sign in to O365 while still showing the inbox, still receiving notifications from new mails, but not actively showing the new mails in the inbox. I’m in exchange with Microsoft Support and they say this unexpected and inconsistent behaviour is actually expected, which does make sense to me. Maybe on of you guys had similar experiences and can potentially share an idea on how to work around this. Thanks
*Thread Reply:* Hi Julio, have you considered to block access via Conditional Access rules e.g. for unmanaged devices?
*Thread Reply:* Hi Nico, unfortunately I don’t have access to the Conditional Access part of Intune. I already thought about checking that and maybe using that for some testing…
*Thread Reply:* you could also send wipe of MAM container when unenroling the device
*Thread Reply:* selective app wipe in intune
*Thread Reply:* you nee App protection policies in place for it. Test before use. I havent done it a long time
*Thread Reply:* I have app protection policies enabled. Yeah, I’ll definitely test it before I apply it somewhere
*Thread Reply:* Yes u need to use selective wipe to remove the mam org container. If u just unenroll and stuff the mam removal isnt triggered until the Outlook oauth session cookie is destroyed. Which can take up to 7 days(default ttl) or longer if the cookie lifetime is longer
Samsung Knox Mobile Enrollment with Intune - what is the configuration for enrolling Work Profile devices? I have created a KME profile with „let MDM choose to enroll as DO or PO“. I have entered no custom JSON data because there is no enrollment token for Work Profile enrollments. This seems not to work - the enrollment profile will get applied on the device, but at some point I end up with the device asking for a QR code. I have enabled a QR code for the Samsung+ gesture to configure a WIFI, but thats not the one. Any ideas what I missed?
*Thread Reply:* Create a DO enrollment token in Intune and add this to the custom JSON data: {“com.google.android.apps.work.clouddpc.EXTRAENROLLMENTTOKEN”:“Enter Intune enrollment token string”}
*Thread Reply:* ahh - sorry I never finished reading - I don’t think Intune supports enrolling Work profile through KME
*Thread Reply:* You can though sideload the company portal using a DA profile and then hope for the user to actually complete the enrollment him/herself
*Thread Reply:* Ah that would explain it - well good point with the DA. But I thought migration from DA do AE with Intune would mean re-enrollment?
*Thread Reply:* Work profile as in BYOD or COPE?
*Thread Reply:* Samsung calls it Profile Owner!
*Thread Reply:* Yes that works fine with KME. But not with a enrollment token or QR. in KME create a DA profile and push the Intune company portal. Have the user log into the company portal and voila
*Thread Reply:* Explained here; https://docs.microsoft.com/en-us/mem/intune/enrollment/android-samsung-knox-mobile-enroll
Follow the steps for For Android device administrator Not the steps for Android enterprise. I know that sounds weird, but it works, as long as Intune is set up for AE work profile enrollment: https://docs.microsoft.com/en-us/mem/intune/enrollment/android-work-profile-enroll. So block Android device admin enrollment for the users in Intune.
*Thread Reply:* It’s actually not that weird because you are enrolling a device with a device enrollment program (KME) designed for corporate device. But you are applying a BYOD enrollment scenario. Hence this workaround. If you wanted to do COPE, you would have to follow the steps in the first link for Android Enterprise steps. That would require a token from Intune (Work Managed, Work Profle) though.
*Thread Reply:* Thanks Mark. Makes total sense!
Auto-Enrolling W10 Devices into InTune via GPO (User-Credential). MFA on accounts is jacking this process up. Is there a way to smooth out the automatic procedure without entirely disabling MFA? I’ve excluded InTune Enrollment in the CA policy but W10 continues to prompt the user when the enrollment activities begin.
*Thread Reply:* The only way I’ve found to streamline is by disabling MFA. Customer is prepping to make a move from O365 to M365 E3 licensing sooner than later. Would that afford me any more options here?
*Thread Reply:* have you tried excluding Intune enrolment from MFA policy ?
*Thread Reply:* @ZL I've excluded Intune Enrollment from the Conditional Access policy. Couldn't find a specific spot in the legacy MFA area to add it as an entry?
*Thread Reply:* Check following setting Azure Active Directory > Devices > Device settings > Require Multi-Factor Auth to join devices
*Thread Reply:* Appreciate the 2nd set of eyes! I see it there @ZL. Will see if that has any bearing on the outcome
*Thread Reply:* @ZL it’s already set to not require MFA to join devices
*Thread Reply:* Have you tried removing the Test user from Legacy MFA and apply MFA via conditional access policy? https://docs.microsoft.com/en-us/microsoft-365/admin/security-and-compliance/set-up-multi-factor-authentication?view=o365-worldwide#turn-off-legacy-per-person-mfa
*Thread Reply:* @ZL we did this by hand for the test user. Let me check and see if CA MFA is still injecting itself into Auth requests outside InTune Enrollment.
*Thread Reply:* Test with Azure AD conditional access What if tool.
Has anyone experienced this error when enrolling an iOS device in InTune and if so, was there a resolution? I've read mixed reviews, from it being bricked to potentially a factory reset. Error: Profile Installation Failed The profile "Microsoft.Profiles.MDM" must be installed interactively.
Don’t enroll into MDM with “quick setup” - The blue bubbles and all that. It causes this behavior
Thanks @Peter Mohr - kind of new to InTune, so lacking that history...
It actually applies to all MDMs but you’re welcome. It’s an iOS bug
Usually happens when trying to apply a backed up device as a restore in top of a DEP enrolled device. The restore tries to overwrite the mdm profile and fails since it is locked. That’s my experience with this issue.
I did see that @Peter Mohr, in my googling, that it is not exclusive to InTune. These are DEP enrolled devices that were enrolled in MaaS360 and being reenrolled into InTune. So @Sharkey, what is the resolution in that case?
*Thread Reply:* https://mobilepros.org/2019/02/ios-device-management-backup-and-restore-reference-guide/
*Thread Reply:* I simply don’t allow restores in this fashion. I encourage device to device transfers when possible. Those work fine.
*Thread Reply:* I’d say what @Peter Mohr said, don’t use the “Quick Setup” option. If people want to restore something, go through the setup until you get to the screen where the user is asked if he wants to restore from iCloud, from PC or no data transfer at all. That’s for all MDM solutions.
*Thread Reply:* Yes. Just skip quick setup, you can still do backup/restore, but you just have to login manually
*Thread Reply:* The only restore option that doesn’t work is restoring an un-supervised backup back onto the SAME hardware after adding device to DEP. Then the new device will not be supervised. Restoring to other hardware will fix this issue.
*Thread Reply:* Also if you do a migration from one MDM system to another and make a backup before moving the device in ABM. If you try to restore your backup, you’ll end up in the old MDM no matter what ABM is pointing the device to.
*Thread Reply:* Yes of course - it was a reply to Peter Mohr’s comment that the only restore option that wouldn’t work would be restoring and unsupervised backup…
*Thread Reply:* The issue is that the activation record for some strange reason is part of both the backup and restore (when restoring to same hardware)… Apple says this is by design…
*Thread Reply:* I know - it sucks 😞 In migration scenarios I’ve seen though that if you unenroll from the old MDM, move the pointer in ABM to Intune and synchronize in Intune, you can install Company Portal manually on the device and sign in and the device appears to be both corporate owned and Supervised in Intune without resetting the device… Has anyone else tried this out?
*Thread Reply:* yes, because the supervised flag stays on regardless of enrollment or not
*Thread Reply:* DEP flips the flag on setup and stays on until wiped
*Thread Reply:* I believe in that case you can remove MDM profile
*Thread Reply:* you can do an enterprise wipe remotely to remove MDM
*Thread Reply:* I meant to say that the end user can remove the MDM profile in this case
*Thread Reply:* MDM profiles are locked in using DEP(ABM)
*Thread Reply:* users can’t remove them generally
*Thread Reply:* he is not factory reseting them though
*Thread Reply:* enterprise wipe will remove MDM profile
*Thread Reply:* example: so if I unenrol a devices from WS1, then move serial number in ABM from WS1 to Intune, then on that device go to app store and download the Intune client and enrol to intune straight away. Would user be able to remove MDM profile or not ?
*Thread Reply:* by unenrolling the device, you would remove the MDM profile
*Thread Reply:* ABM assignment is. not going to change anything on the device
*Thread Reply:* that would only take effect on a device wipe
*Thread Reply:* crucial step, un-enroll (which does the enterprise wipe)
*Thread Reply:* tehn use company portal to enroll manually
*Thread Reply:* Are you saying DEP device will auto factory reset when you unenrol it ?
*Thread Reply:* 1. Unenroll from MDM, this will remove MD profile
*Thread Reply:* Assign to ABM is a separate process, needed, but not necessary to make this all work
*Thread Reply:* then user goes to settings and removes MDM profile
*Thread Reply:* if you used DEP thne profile should normally be locked
*Thread Reply:* I’m talking about the steps you outlined above
*Thread Reply:* only way to remove it, is to unenroll from console
*Thread Reply:* in this case they can remove the profile
*Thread Reply:* thats how I remember it, need to lab it
*Thread Reply:* Unless you changed the DEP profile to allow rmeoval
*Thread Reply:* which is possible, but not normal
*Thread Reply:* in steps above there is no DEP protection as you have not reset the device before the enrolment.
*Thread Reply:* it is BYOD enrolment with Supervised flag from previous MDM
*Thread Reply:* yes correct the point is to avoid reset, but the security risk is that the user can remove MDM profiulke
*Thread Reply:* BYOD would not have a supervised flag
*Thread Reply:* ABM enrollment will lock the profile in place dy default, unless you changed that option
*Thread Reply:* I think we are talking about different things, or I’m not making sense.
*Thread Reply:* a manually enrolled ios device, the suer can remove MDM anytime
*Thread Reply:* a supervised device, they cannot
*Thread Reply:* but in the steps you described above and steps described by TGR there is not ABM
*Thread Reply:* you download the Intune client from the store
*Thread Reply:* if you have it in ABM, it would be supervised
*Thread Reply:* if you reset it, it will come up with the intune profile next time
*Thread Reply:* but to avoid reset and get it enrolled, just unenroll it
*Thread Reply:* then have the suer enroll again through portal app
*Thread Reply:* dveice will stay supervised and lock in again
*Thread Reply:* that where I dont belive it will be locked again
*Thread Reply:* that how it was a year ago when I tested it
*Thread Reply:* Your supervsiion profile has not chnaged
*Thread Reply:* so it will have siad to lock it in
*Thread Reply:* i’ll try it again later. But I have done this.
*Thread Reply:* if this is how it works now it is a game changer.
*Thread Reply:* last time I checked if you do this device is not locked , user can remove the profile
*Thread Reply:* this particular customer does not want to wipe, bad UX they say
*Thread Reply:* its free with some licenses and that is what is driving the adoption and migration from other MDMs
*Thread Reply:* well at least we all got work as mobility and security is in demand as never before
*Thread Reply:* When we’ve tested it from 7P to Intune, we basically revoked the enrollment from 7P and installed CP manually from app store and after logging in, the device came up as supervised + company/corporate and not as personal. I think the synchronization with ABM from Intune is necessary to make the device seen as ‘enrolled by’ the enrollment profile and hence corporate..
*Thread Reply:* what do you mean by the mdm profile locking in?
*Thread Reply:* Can you remove the MDM profile from the Settings menu?
*Thread Reply:* ahh - that 🙂 I’m not sure - I didn’t test it. I’ll see if I can have it tested next time I’m at the customer.
*Thread Reply:* I’ll have to dissapoint you on this. The profile is not locked, so the user can remove the management profile after enrolling.
I have a question regarding app assignment. I have a bunch of supervised iOS devices enrolled that have installed Company Portal from the App Store. The app is not assigned in Intune since the settings of the default profile for iOS says “Install Company Portal with VPP: No”. I want to change the current setting to where the app is pushed using the VPP token (for future enrollments) and an unenrollment would remove Company Portal from the phone. The first part is easy, even though I ask myself if the change “Install Company Portal with VPP: Use Token XYZ” would have any impact on already enrolled devices. It basically shouldn’t until the device is factory resetted and reenrolled next time. For the second part though, I’d have to assign the VPP Company Portal app to all devices and mark it as “Required”, would that only give the user that one popup that says the app is managed by your company now or should I expect any other side effects?
Hi all, can I enforce device PIN/Password for Android devices using MAM?
*Thread Reply:* Hi Nico, with MAM you can only enforce setting on the application level. You enforce the following security setting: • Require a PIN to open an app in a work context • Control the sharing of data between apps • Prevent the saving of company app data to a personal storage location To enforce settings on de device itself you need to have MDM.
*Thread Reply:* Hi Berry,
thanks for your response. Well, I hoped there is something similar to the data encryption for iOS devices which enforces the user to set up a device PIN. Just want to make sure I haven‘t missed anything.
Has anyone had success in creating a WebClip to launch Chrome recently?
https://emm.how/t/how-to-create-an-ios-webclip-in-intune-that-will-open-in-another-browser/1233
*Thread Reply:* So I just tried this. Microsoft apparently closed the door at the API
*Thread Reply:* @Woody havent tried this in a while myself, however isnt it just "
*Thread Reply:* it looks like you have put googlechromes
*Thread Reply:* @Ajay Patel the trailing “s” forces the site to be opened in HTTPS. Though these days, I think Google defaults to trying to open everything in HTTPS by default.
*Thread Reply:* BTW I got around this “limitation” by creating a Webclip plist in Configurator and uploading to InTune to distribute as a custom configuration.
Hi, did somebody ever get the screen “Page expired” in Company Portal app on a supervised device after the user types in his credentials?
So I was going through this article regarding migrating ADE devices from one instance of (whatever) MDM to Intune. They mention that it would make sense to unenroll the devices before the users create a backup and factory reset their devices, because otherwise the MDM profile would be also stored in the backup and that would interfere with the enrolment of the device into Intune since the device would receive a new MDM profile. I’m kind of confused, because from what I know the MDM profile is not part of it and is only re-applied when you use the QuickStart option (which the users shouldn’t). If you use “Restore from Backup” or “Restore from iTunes Backup” during device activation it shouldn’t copy the old MDM profile right? https://techcommunity.microsoft.com/t5/intune-customer-success/migrating-ade-ios-devices-to-intune/ba-p/1898028
Remember that restoring to the SAME hardware yields different results than restoring to new hardware (other phone)…
*Thread Reply:* Same thing that I remember..Problem is that the official documentation of Apple only targets private users and never explains the ins and outs of the enterprise part.
if a profile fails to install, will it keep trying by itself? There is no option to push it back out manually like there is with other vendors.
*Thread Reply:* Do you mean the MDM profile or a configuration profile?
*Thread Reply:* configuration profile. or even if an app fails for whatever reason will it just keep retrying automatically?
Curious.. anyone have Shared iPad (iOS 14) working with Intune? Seems to hang-up at the end of the wizard (where it’s waiting for all the final configs to apply before it closes the window)
It seems Microsoft doesn’t provide the option (in the DEP Profile Creation screen) to not wait.
*Thread Reply:* Hi Woody, have experienced this myself. Not sure if it was he root cause, but in my case I used an iPad with not enough storage for shared iPad. With another iPad (with min storage in accordance with the req's) we succeeded. However Intune did not mark the iPad as shared iPad every enrollment.
*Thread Reply:* Good suggestion, @Tim! I’ll take a look into that further
*Thread Reply:* @Tim It’s behaving much better on devices with 64+GB of memory. Initial test was from a 16GB unit, so that checks-out. Appreciate the refresher!
It would be something like this, if it were provided
@Niklas Jenslöv has joined the channel
Working with Update Rings. I’ve got machines that have been made part of the Semi-Annual Channel group. If I look in the portal it’s showing that some of the machines are “up to date” but they are on all different versions. Is that normal?
*Thread Reply:* Or is “up to date” just in terms of security patches, not minor/major OS versions?
*Thread Reply:* Okay, I think I self-solved this.
Anyone here happen to be managing W10 IoT Core/Enterprise clients with Intune for MDM control while still using SCCM for patching?
*Thread Reply:* It appears to all be covered here. Anyone have any color to add to that document? https://docs.microsoft.com/en-us/windows/iot-core/manage-your-device/intunedeviceenrollment
Anyone using CBA for iOS Mail with SCEP? On the device the mail account still prompts for a password. The certificate has been issued and is on the device. Root Certs have been successfully deployed. Email profile and SCEP profile are successfully deployed. Any special values needed in the SCEP profile? Do I choose the Root CA or the Issuing CA cert within the SCEP? I have not uploaded the Root certs via Powershell into Azure to make them known - is this still mandatory?
Yes, You need to upload root certs (and intermediate) to Azure
AND make sure the CRL is available from MS to your PKI
@Mikey2000 Is the mail service you’re connecting to (presumably O365) enabled to accept CBA?
*Thread Reply:* Good input Woody, didn’t think about. Did enable nothing within Exchange Online, everything default.
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started
*Thread Reply:* You basically provide AAD the identity of the issuing CA, configure it to accept CBA, etc
*Thread Reply:* Great thanks. Silly me, I thought this might work out of the box! 🤣:facepalm::skintone_2:
*Thread Reply:* With it all being MSFT you’d think it would… but then again.. being MSFT…. yeah. Nuff said.
*Thread Reply:* And it works! 😜👍
*Thread Reply:* Does anyone know why Intune issues 2 user certificates for one iOS device? Is everyone else seeing this?
*Thread Reply:* I guess that explains it - https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep
*Thread Reply:* @Mikey2000 Did most of it fall in-line with that MS Doc above? It’s been awhile since I’ve done it
*Thread Reply:* Well no not all of them. I have plenty of devices which have only one profile but multiple certificates. But I believe this happened after modifying the SCEP profile and that triggered new certificates and the old certs remain. But I am not a huge fan of publishing the NDES to the Internet - compared with MobileIron, where the KCD setup with Sentry is much smoother!
*Thread Reply:* Did you install the Certificate Connector?
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/protect/certificates-scep-configure#install-the-microsoft-intune-connector
*Thread Reply:* Should prevent you from having to expose NDES to the world
*Thread Reply:* @Mikey2000 do you remember the SCEP Proxy back in the day? Where MI exposed NDES to the world? Short lived, but I felt the same way about it
*Thread Reply:* Yes indeed - I remember that son of a gun! 😜
is it possible to set notification redaction on lockscreen per app on Android (fully managed) or is it a one size fits all? For example we want SMS notifications to be redacted to not show content but other apps are fine
*Thread Reply:* thought so 😞 thanks for clarifying
Is there a way to unenroll devices in bulk from the console or do I need to use the API for this?
*Thread Reply:* To bulk delete remaining devices (by OS) in your MEM environment you should be able to do so by:
The MDM protocol supports the ability for an MDM to disown or end enterprise management (2 different things) along those lines the ABM account for Apple devices also allows you to prevent an MDM from disowning in a case where your helpdesk does not need the ability to do this and you only want the disown option to be done by a smaller device focused admin. disown is the more painful, you should equate disown with selling or recycling the device.
*Thread Reply:* As a sub question here @Todd Cole, how do you bulk disown devices in ABM? With the update earlier this year in ABM we lost that ability to copy and paste IMEI #'s (only separated by a semi-colon). I find myself doing them 1-by-1 when sending back to ecycle.
*Thread Reply:* You can still enter serialnumbers with commas and bulk manage
*Thread Reply:* You can do things like search for specific devices (highlight them) and then release. also you can filter searches by Device type (so you can flag older devices as an example) and then highlight and disown. I also think if you need the ability to disown devices via something like a CSV spreadsheet please open a support ticket and ask for the capability again. Finally this ability can be done via the MDM and in many cases they can filter a bit better then the ABM interface directly.
*Thread Reply:* You can also do what Peter mentioned with pasting the list into the field.
Hi has anyone has a spreadsheet with WS1 profiles mapped to Intune ?
*Thread Reply:* You mean same or common profiles in both the EMM tools, in common?
*Thread Reply:* we are migrating from WS1 to intune and I need to map all profiles from WS to Intune.
*Thread Reply:* I need to find equivalent settings for WS1 controls in Intune
*Thread Reply:* Not all controls are available from what I’ve seen
*Thread Reply:* do you know which ones are not available ?
*Thread Reply:* it’s the same API, I don’t expect massive difference in controls available.
*Thread Reply:* it’s more the fact that I think WSO is easier to use
*Thread Reply:* also switched from WSO to Intune 2 months ago, because of job change
*Thread Reply:* I thought the same at firsts, but now prefer Intune. you get use to it really quick.
*Thread Reply:* I feel like certain things are more difficult to find, but maybe its just a matter of getting used to it
*Thread Reply:* Haha @Matt Dermody I guess I'm everyone's default ping when it comes to this stuff now 😛 I don't actually have a break down of the differences but I do know the profiles in Intune are more limited than that of WS1 specially when it comes to Android which is to be expected as Intune is leveraging AMPI which is not as mature as the typical DPC approach WS1 and other MDM's currently use. Honestly ZL you will just have to look at your profiles 1 by 1 and match them best you can. I have backed away from Intune after doing a demo for management and showing them some of the missing features along with the added support time it takes to do common tasks in Intune vs WS1 and how that will increase call times for our help desk and desktop support staff they are backing off on making the change at this time. I'm sure once I fully adjusted to Intune I would like it well enough but I agree with @Jay that not only is WS1 easier to run for someone who not well versed in MDM but also still considerably more feature rich. That's just my view on it though and I know that view is not shared by everyone.
*Thread Reply:* I see. I should have mentioned that I’m looking for the iOS breakdown. I remember doing migration from BB UEM to Intune it it was 100% compatible all BB UEM controls were available in Intune. I guess Android as slightly different.
*Thread Reply:* AMAPI basically means that Intune does the bare minimum for Android Enterprise as defined by Google, whereas other EMMs like WS1 have custom DPCs that can do a lot more beyond the base APIs. If you were managing Android I think you’d notice some big differences, especially in Dedicated Device / COSU / Work Managed / Device Owner environments.
*Thread Reply:* I've personally seen differences in both iOS and Android Enterprise. Since Android takes far less to get up and going that is what I focused on when doing my demo for management its also where Intune seems to be lacking the most at this time. I'm sure Intune will be a great product at some point but as you find a lot of the consultants in here posting they have had customers make the jump because of the cost savings only to regret it and switch back to their previous MDM as it still feels like Intune is an after thought for MS at least in terms of mobility.
*Thread Reply:* We are a BYOD shop for the most part but management doesn't like the idea of MAM as it does not work for every app as a result Intune is lacking a lot of quick support features our staff use when troubleshooting issues. An easy go to example for me is trying to remove a profile/restriction to see if that is the cause of the users issue. In WS1 this takes less than 30 seconds in Intune the fastest I've been able to fully pull away a profile from a device was 5 mins but on average in testing it takes me 7-15 each way. That's a hard pill for our management to swallow since we work in health care and telling a doc they have to stay on the phone with us for 10-30 mins to test and hopefully fix their issue. When we can do it all in well under 5 mins now.
*Thread Reply:* One other thing that drives me nuts about Intune that I'm still shocked is this way is the fact that the numbers/reporting of devices is not real time. Instead it seems to take about a day to sync up and report correctly. To me that should be a fundamental feature from the start and when my company sent me to an Intune training/certification with MS I asked the Trainer about it and he said its one of their most common complaints but didn't have an ET on when it would be fixed
*Thread Reply:* Best of luck to you sir its not a horrible product at the end of the day just one that needs a little more time to bake on the plus side it makes the O365 integration a hell of a lot easier 😄
*Thread Reply:* QQ: does WS1 has documentation on each profile restriction ? e.g. “Force unprompted screen observation for managed classes”
*Thread Reply:* https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/index.html
*Thread Reply:* if i google for “Allow Biometric ID to unlock device” nothing comes up
*Thread Reply:* is it behind the pay wall or something or you need to be part of the club ?
*Thread Reply:* I’m lost, why would they not make this info freely available.
*Thread Reply:* Nope just need to create a free account it just might be that the term you're searching for doesn't pull up because of how they worded it. I would suggest looking thru the platform guides as your starting point.
does anyone know if you can run Safari in single app mode locked to a specific URL on iPads? I can't find anywhere to configure the Safari app as its not an app in VPP so can't find where to apply any specific key/value pairs
*Thread Reply:* ignore me just realised i have no reason why i can't deploy the edge browser and use this...
*Thread Reply:* Yes you can. Use the single app mode payload for locking down the app. Then use the content filter payload to restrict the URLs
*Thread Reply:* @Mathieu Beaugrand thanks for that! was looking in the device restrictions as opposed to devices features for this option! hence why i couldnt see it.
Does anyone know if it's possible to 'hardcode' a common name for a user cert (SCEP) in a configuration profile? The UI lets me do it, but it deploys with an error. The manual page says nothing about it either way
I wonder if the error is because of this or something else - as usual there is no further information about it other than "Error (0 - No error code)" 🙄
hi all, if i have an android app set to required i dont have the ability to uninstall the app (for example for issues with the app. Uninstall/reinstall). Do i have to create a specific group add the user/device to this group to uninstall the app, then remove the policy to reinstall the app? I can't find any setting that allows apps to be deleted even if required. Seems an extremely long winded way of doing things!!
*Thread Reply:* you uninstall apps by assigning a device or user group with Uninstall assignment.
*Thread Reply:* is this an internally developed app ?
*Thread Reply:* no its just a public app but its a bloody pain to have to do that for just one user so was checking if there was something that had been missed..
*Thread Reply:* long story short im testing the Microsoft Defender MDATP app but forgot to assign the app config so wanted to delete the app for it to apply when i reinstalled it
Hello, can someone give me an example of when I would need to configure IntuneMAMUPN with the app configuration policy. As per: https://docs.microsoft.com/en-us/mem/intune/apps/data-transfer-between-apps-manage-ios#configure-user-upn-setting-fo[…]oft-intune-or-third-party-emm
*Thread Reply:* Configuring the user UPN setting is required for devices that are managed by Intune or a third-party EMM solution to identify the enrolled user account for the sending policy managed app when transferring data to an iOS managed app.
*Thread Reply:* what is a policy managed app and what is an iOS managed app ?
*Thread Reply:* someone correct me if im wrong but my understanding is a policy managed app is for example being able to cut/copy/paste info from Word to Excel if those apps are listed in the policy as long as those apps are signed in with the UPN and O365 account. An iOS managed app is similar but applies to any app you deploy as managed and for example can be used for removing data when a user unenrolls a device and to prevent backing up app data to iCloud also an element of control of what apps can share info using the share button
*Thread Reply:* Based on what I read (and looking at the 2 linked articles in the original article) it appears that the page you linked to refers to a method to configure a few apps to use the variable “IntuneMAMUPN” for UserName variables in AppConfig profiles. There is support in the Intune console to support Managed App Config (supported by many MDM’s and a standard that Apple and others use to allow for managed app configuration via a definition dictionary). There is a link int he page to an article on specifi config’s for Outlook and then in that article a link to a page that defines how to set App Config’s for other Apps (That support the function, not every app can be configured via app config and the author of the individual app must design the app to support App Config functionality). hope this helps a little
*Thread Reply:* Still don’t understand when I would need to do this. What problem this resolves in one sentence ?
*Thread Reply:* it feel this has something to do with application protection policies
*Thread Reply:* This allows you to assign a variable for the username on managed application. rather then the users entering in the data you can deliver it from the MDM.
*Thread Reply:* When would I want to do this ? Can you give an example where you have configured this and what issue this has resolved.
*Thread Reply:* I dont use it, I am just reading the docs knowing what the MDM protocol includes.
*Thread Reply:* I see, I was looking for real life example. Thanks anyway.
Sanity check: Shared iPad. ABM is set to Federate with Azure. DEP Wizard completes, user signs-in with Azure. Wizard still wants user to set a local passcode. I don’t recall this being necessary? Or must it be set to enable data encryption?
*Thread Reply:* @Todd Cole this is what I was getting at
*Thread Reply:* If you require encryption, a device pin or password is a requirement
*Thread Reply:* @Mark Vonk this is what I’m getting at
*Thread Reply:* Hi Woody, this is default behaviour: https://support.apple.com/en-gb/guide/mdm/mdm6c592d817/web
Sign into Shared iPad with federated authentication accounts
*Thread Reply:* Thanks @Tim! Yes, I located that article after I posted haha. I appreciate the follow-up 🙂
Hello folks. Does anyone know in which of the below enrolment scenarios Intune admins are able to see personal apps on user devices ?
*Thread Reply:* Wanted to lab this but it looks like data is synced once every 7 days.
*Thread Reply:* Ok it looks like first two are out of the question and probably the number 3 as well.
*Thread Reply:* None, as this is now restricted in Android 11.
*Thread Reply:* On older Android versions, COPE would have been the only mode where you could see personal apps, however this mode has been in preview for months. I doubt they will invest in releasing it for older Android version now with all the changes in this mode on Android 11.
*Thread Reply:* When you say older what version do you have in mind ?
*Thread Reply:* What do you mean with personal apps? I would say that true personal apps only exist on Work Profile devices. For those devices (corporate-owned and personally-owned) the apps are not inventory, as the user has true privacy based on the Work Profile construction.
*Thread Reply:* Besides that; currently there is no app inventory at all for Fully Managed and Dedicated devices anyway.
*Thread Reply:* Also, Intune relies on the Android Management API. That means that only the new model of Corporate-Owned devices with Work Profile for addressing the COPE use case is available. But it is available for Android 8 and later.
*Thread Reply:* @Peter van der Woude when I say personal apps, I mean apps listed under “Discovered Apps”
*Thread Reply:* At this moment you will see that you only have an inventory of apps on personal devices with a Work Profile. However, the apps that you see are only from the Work Profile (and system apps). So technically no personal apps only company apps. The privacy that the user needs.
*Thread Reply:* @Peter van der Woude great explanation 👍 https://www.petervanderwoude.nl/post/android-enterprise-and-microsoft-intune-and-the-previously-missing-use-case/
*Thread Reply:* Pushing this to a configuration in our Intune now.
*Thread Reply:* @Woody Not really as you'd (or at least I'd) expect. Open up company portal, asks for Microsoft credentials (somewhat expected), but then tries to run you through the 4 steps of enrollment, including downloading a new profile.
*Thread Reply:* @Jordan Philip Darn! That’s what I was afraid of
With InTune, I’ve got a customer who found it was easier to enroll W10 machines under one service account instead of each user that was actively using the machine. The result is all devices are managed, but they all show under that single service account.
Q: Is there a way to shift the Intune association from the service account to the account of the primary user for said machine?
*Thread Reply:* this might help - https://www.petervanderwoude.nl/post/changing-the-primary-user-of-windows-devices/
*Thread Reply:* Haha @ZL I had just found this https://www.stefannordkamp.nl/2020/03/11/change-the-primary-user-in-microsoft-intune/
*Thread Reply:* Please let me know if it worked as I haven’t used this feature yet.
Hey folks! I need to find an Apple ADE and Android ZT reseller in the UK, we have around 50 iOS devices which need to be provisioned into Apple Business, anyone aware / could recommend a partner I should reach out to? For ADE I tried the local Apple store route then realised the store was obviously closed at the moment 🤦♂️
*Thread Reply:* @Leon Any shot you have a Mac running Configurator?
*Thread Reply:* Leon, As Jordon is pointing out any Mac running the free application from Apple known as Apple Configurator (AC2) could be used to solve this issue. If you need help using AC2 drop me a PM.
*Thread Reply:* I've also created a guide here back a couple years ago when we were all pretty excited when this was intro'd. This guide is MaaS360-centric, but can be adapted for any MDM solution with slight modification on page 7, ignore page 6, whereby we can create a more generic "MDM Server", the device will show up in ABM as "Added by Apple Configurator", and we can simply reassign from there, no need to create and adhere to the profiles created by Configurator or MaaS360.
*Thread Reply:* @Leon if you have purchased the devices already and where you have purchased them from cannot enrol them into ABM then Apple configurator on a Mac is your best bet. Regarding the Zero Touch devices, again same principal but if no luck the manufacturers tend to be able to add them directly into Zero Touch as long as they are compatible devices. I work for a UK telecoms company so give me a shout if i can be of assistance in anyway
*Thread Reply:* Thanks for the responses folks, yes indeed I am aware of this being possible using configuration, but I am after a reseller who would consider uploading all of these devices on my behalf, even if for a fee per handset? Or is this just not possible. Also outside of this requirement, a recommendation on a provider who we could purchase devices from in the future (and potentially recommend to some of our customers) would be great
*Thread Reply:* Hi @Leon i've dropped you a PM with some details.
Thanks @Woody for adding me here. We (at the HEINEKEN company) are using MEM for Android, iOS, macOS and Windows 10. I am wondering if there are any other folks here that are using MEM for Windows 10 on scale; we aim to use it on about 65K Windows 10 devices; partly 'native' MEM so cloud-only and partly in a co-managed scenario with SCCM. We added all our Windows 10 clients to MEM co-management and we are shifting the first workloads (WUfB, then Compliance, etc.). I would love to talk with someone that is working on the same thing in a large organisation.
Hello everybody #microsoft_endpointmanager, we are encountering a weid behavior on MEM with Android (WP And. Entrep.) & iOS enrollment. Once users are logged with theirs credentials, the enrollment process is not starting automatically - Users have to into their "Device" Tab in the Company Portal > Click on their unidentified device "My Android" > there is an error message "This device is not managed" > click on the message then start the enrollment process. It does not seems that is an bug but more a misconfiguration in the Azure Tenant in my opinion. MS Support is investigating and they are looking into the MDM Scope & MAM Scope into Azure AD settings (Mobility). Have you any idea of what can we setup for launching automatic enrollment after user's credentials ? See Screenshots for more details infos. Thanks guyz 🙂
*Thread Reply:* So when using the Company Portal, it is not automatically ushering-in the iOS/AE Profile enrollment wizard. Yeah?
*Thread Reply:* You’re having to go in and manually invoke it.
*Thread Reply:* For iOS, it might be easier to enroll into MDM via Safari and then push the Company Portal down as a managed app
*Thread Reply:* AE though, you’ll have to start in the Company Portal unless you’re using Zero Touch/etc
*Thread Reply:* Yes, exactly. It adds another manual step for users + this steps looks like an error and it is loading the support team
*Thread Reply:* Weird that it’s doing that for AE. There’s no point to having CP on there if it isn’t ushering-in the management profile.
*Thread Reply:* @JmB just wondering have you tried this on different Android handsets? What devices are you using?
*Thread Reply:* we got this step on every Android devices and iOS
*Thread Reply:* That’s such a huge oversight @JmB. Then again, it is Microsoft…
*Thread Reply:* That sounds like a configuration of the enrollment settings in the Company Portal branding (see for the available options also: https://www.petervanderwoude.nl/post/customizing-the-microsoft-intune-company-portal-app-and-website/)
*Thread Reply:* Interesting! Have to admit I wasnt even aware that this was configurable
*Thread Reply:* Yes, i'm already in "Availabe with prompt" for device enrollment in the tenant customization
*Thread Reply:* @JmB has this resolved your issue ?
*Thread Reply:* Sadly not, I had already tested this option with "Available with prompts" and "Available without prompt"
*Thread Reply:* It does not change anything 😢
*Thread Reply:* @JmB is this your test user where you constantly enrol and wipe devices with? I remember having an issue where I forgot to remove registered devices in Azure AD for test user. Once I deleted all devices in Azure and in Intune devices started to enroll again.
*Thread Reply:* unfortuntly all users are affected and i also did a cleanup on intune + AD registered devices
*Thread Reply:* licences MS365 E3 + Intune service activated
*Thread Reply:* Users are part of a AAD group enabling bypassing Enrollment restrictions
*Thread Reply:* yes, got a meeting tomorrow, will keep you posted guys
Does anyone know Peter van der Woude by chance? Seems he would really feel at home here… https://twitter.com/pvanderwoude
*Thread Reply:* I do not but he seems like a glutton for punishment based on this blog title!
*Thread Reply:* He’s perfect for the community
*Thread Reply:* @Matt Dermody I was reading his material re: Shared iPad SSO. Dude is super polished. I’m going to reach out via DM
*Thread Reply:* I can message him too if needed @Woody? I have had some interactions with him in the past....
*Thread Reply:* @Leon go for it! I had sent a msg to @Pratik Dave, since I see that he follows him
*Thread Reply:* But if you’ve already got an open channel, let’s use it!
*Thread Reply:* Peter has some decent content I have been following his blog for quite some time 👍
*Thread Reply:* Just dropped him a message and he said he would take a look, but currently not using this platform (as I wasnt originally)
@Peter van der Woude has joined the channel
So @Peter van der Woude - In terms of Enterprise SSO Extension and Shared iPad…
*Thread Reply:* I’ve got Authenticator installed and signed-in with my AAD Account. Enterprise SSO Policy deployed. However, it does not invoke the extension
*Thread Reply:* My guess is that the Enterprise SSO config being pushed from Intune/Endpoint Manager did not send the config under the context of my user… but that of the “Shared Device”
*Thread Reply:* A shared device requires an additional key to be configured. For that information, see also: https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-ios-shared-devices#use-intune-to-enable-shared-device-mode--sso-extension
*Thread Reply:* @Peter van der Woude for Azure AD, can I use the built-in entry or should I leverage Redirect?
*Thread Reply:* Alongside that extra KVP you mentioned
*Thread Reply:* The built-in entry is often enough. From what I’ve seen the only difference is in the login urls that are used. The manual list contains a few more (mainly gov related).
*Thread Reply:* Okay, updated Enterprise SSO config to include the Shared boolean value
*Thread Reply:* For iOS, should the Authenticator just have my AAD account added? The MFA bit is above/beyond and not necessary. Yeah?
*Thread Reply:* Lastly @Peter van der Woude, in your Blog it had Shared Device Mode disabled. Does that need to be enabled for Shared iPad?
*Thread Reply:* Yeah, my blog was focused on the basic functionality. For shared devices you need to turn that on. By saying that I think that it might also configure that key already, but that should be an easy test.
*Thread Reply:* Okay. I just pushed it out. Still seems to behaving in the same manor
*Thread Reply:* And the user is authenticated in the Authenticator app and the setting is shown in the profile (Settings > General > Device Management > Management Profile > More Details > Authenticator)?
*Thread Reply:* @Peter van der Woude Yes to the Authenticator. I can’t access the Device Management portion due to restrictions. I can lift those and check
*Thread Reply:* So Shared iPad prevents access to Settings > General > Device Management
*Thread Reply:* Ah, yes of course.. I would also like to test the behavior in my environment, but I currently don’t have a Shared iPad device.. that could take a while..
*Thread Reply:* I get this feeling 2021 is going to be the year of exactly what we’re discussing. More ROI out of iPad. Happy to be your eyes/ears if you want to Zoom/etc
*Thread Reply:* For me at least the start of 2021 is indeed Apple minded. Currently all in on Managed Apple IDs. Fun stuff. Thank you for the offer @Woody ! Will let you know!
*Thread Reply:* Hi @Woody, hope you’re well. Did I understand it correctly that you’re trying to deploy a AAD Redirect SSO Extension to a device (user) using Shared iPads for Business?
*Thread Reply:* https://support.apple.com/guide/mdm/shared-ipad-payloads-mdm05daf6e79/web
As you can see here, the “Extensible” SSO profile needs to be installed on the user channel. I’m not sure that Intune has this support yet.
With VMware WS1 or in some cases JAMF, you can choose to create a user or device profile for iOS/iPadOS just as you can on a macOS device. In this case we’ve got AAD SSO extension working.
Do not use the shared keys in this case, as the device is shared on the “OS level”, and should not be set to be shared “again” on the “app level”. The shared key is if you have a traditional device without this OS-level shared setup and wants to share a device/make sure all apps is logged in/logged out of the push of a button.
*Thread Reply:* Hi @Anton I! Good to hear from you. Yes, that is correct. I would agree, I don’t think the SSO profile is making its way into the user channel. I will tweak my config and leave out the “Shared” elements.
*Thread Reply:* Sounds like a plan! I’ve managed to set it up on Workspace ONE (Shared iPads for business with AAD redirect SSO Extension), so the idea is good and should work once MSFT has figured it out! 🙂
*Thread Reply:* Also, try to test the SSO extension using the “private/Incognito” mode in the browser. If you’re automatically signed in there, you know for sure the SSO extension has done it’s magic 😄
*Thread Reply:* Follow this thread with interest guys! Need to start some work on all of the above, with an ipad due to be delivered for some testing within a couple of weeks
*Thread Reply:* Thanks for the tips @Anton I! It all makes sense. Now time to try and report back. Awesome to have you join-in @Leon!
*Thread Reply:* I’ve found that you need to have some app (Outlook, Word etc) trigger the Authenticator App first before Authenticator can be launched as an SSO extension in Safari…
*Thread Reply:* If you set the integer key “browserssointeraction_enabled” to “1" that should work as well 🙂
*Thread Reply:* I did. and Safari works, but not as the FIRST sso app.
*Thread Reply:* @Anton I I tried SSO extension using a private tab in Safari, but it appears to behaving the same way (no SSO extension engaging)
*Thread Reply:* @Woody did you deploy it to a Shared Ipad for enterprise device or just a normal device?
*Thread Reply:* @Anton I Shared iPad for Business/Enterprise. Same as shown here https://mobilxperts.slack.com/archives/CH3A5MY5D/p1611265238037000?threadts=1611262890.013800&channel=CH3A5MY5D&messagets=1611265238.037000|https://mobilxperts.slack.com/archives/CH3A5MY5D/p1611265238037000?threadts=1611262890.013800&channel=CH3A5MY5D&messagets=1611265238.037000
*Thread Reply:* If possible, try it on a normal device as I’m not sure that MEM supports user channel profiles just yet 😞
*Thread Reply:* I agree. I’ll give it a shot on a normal device in just a bit!
*Thread Reply:* @Anton I it checks out on a normal device. Reported to MSFT that they need to step up their game on the Shared iPad features 😜
*Thread Reply:* @Anton I do you know (from a VMW perspective) if you are able to set device channel security policies on a shared iPad?
*Thread Reply:* Testing with configurations made in the InTune UI and it doesn’t seem to have any bearing on the device. Tried to create/distribute directly from Configurator via custom XML and it seems to fail to install.
*Thread Reply:* @Woody VMW has implemented everything according to the Apple Documentation mentioned above. So yes 😄
*Thread Reply:* @Woody Just watched some Ignite sessions regarding MEM. User profiles for Shared iPads is "coming soon" 🙂
*Thread Reply:* @Anton I thank you for that!
*Thread Reply:* Any chance you have a link to that session?
*Thread Reply:* Enabling frontline workers with Microsoft Endpoint Manager
*Thread Reply:* Or maybe What's new in iOS/macOS management with Microsoft Endpoint Manager
Hey folks, has anyone seen where Notifications Restrictions (Hide Org Data) is not being honoured on the Android device in the Teams app? I checked the logs in Edge (about:intunehelp) is seems to be there. Reinstalled the app (Jan 2021 version) min required is September 2020. Not sure what esle can be done.
does anyone know if you can see what SSID a device is connected to on EPM? I can't seem to find this like i could in WS1...
*Thread Reply:* It's been awhile since I played around in EPM but I don't remember seeing that option in there either back when we were testing it.
*Thread Reply:* I concur @Boe. The MSFT UI is lacking in logs/details. I miss this a lot coming from other platforms
*Thread Reply:* the biggest thing i've noticed is the monitor section under configuration/assignment status. It tells one of my customers they have just shy of 100 devices that have configuration errors on their policies. If you drill down into those users they all have green ticks and the policies have successfully applied. We get their security team shouting that these devices dont have the policy etc and you ahve to show them its a fault in the UI, if you drill into the actual device everything is fine!
Is there an easy way to rename Android Enterprise enrolled devices in Intune? This is a KIOSK tablet and would just like to rename the hash. One would think it would be easy like MS Word to edit the name and click save ... but that doesn't work. Any help here?
*Thread Reply:* not possible currently! one of my biggest bug bears with it at the moment!
Does anyone know if there’s a way to automatically log-out a user after X time of inactivity on a Shared iPad For Business?
Related: Is is there a way to set the “grace period” as to how long the user can resume use of the device once the screen has turned off? https://support.apple.com/guide/mdm/shared-ipad-sign-in-mdm6c592d817/web
*Thread Reply:* It seems it would be part of this Configuration, but the device doesn’t seem to acknowledge it
*Thread Reply:* Does anyone know if there is a different behavior exhibited if it goes out as a Compliance Policy?
*Thread Reply:* The Shared iPad seems to basically be ignoring when either one of these are pushed
im just creating some new App config policies, does anyone know what difference is between the highlighted Office apps (HL) & (ROW)
• com.microsoft.office.officehubrow preinstalled on Samsung devices outside the US and China • com.microsoft.office.officehubhl preinstalled on Samsung devices in the US
*Thread Reply:* ah thanks @Almar Diehl that makes sense!
*Thread Reply:* haha it made sense it my head once Almar explained what they were for. Doesnt make sense for why they have different apps 🤣
Could we backlist a device by serial number in Intune? we can block by model, and manufacturer but that isn't granular enough.
*Thread Reply:* Can you create a dynamic group and have a PowerShell script that does something (deletes device from the tenant) if that devices is added to the group? or add it to the conditional access policy of some sort.
Hi folks, anyone ever seen this issue when trying to enable Federated auth in Apple Business Manager? I attempt to auth with a global admin account, I can see the auth was successful in the AAD sign in logs;
Have you enabled Federated auth already? It seems so. Was this done with the same AAD domain?
*Thread Reply:* Yes, apologies, I forgot to add. Federated auth was indeed enabled to the same domain but a different AAD tenant. I removed this associated and re -validated the domain name in ABM however still have the issue. I can confirm that sign ins are being seen on the correct tenant
*Thread Reply:* Yes, I had the same issue. Had to create a support case with Apple and told them what steps I had done previously. After a day or two of going back and forth, they removed some entries in the backend and I could add the domain successfully.
My case with Apple was
*Thread Reply:* Perfect, many thanks for this Mark, very helpful
*Thread Reply:* as @Mark Vonk says i had the same issue too and had to raise a support ticket
*Thread Reply:* Cool, yeah apparently it requires a reset of the idp connector. Only happens in a scenario where you are using the same domain name to re enable federated auth
*Thread Reply:* I’ve actually been doing some ABM with federated auth this week and I can confirm the behavior. The challenge is that there is a 1:1 relation for ABM with Azure AD and that can only be reset by Apple. That button is still missing from the UI.
Anyone using Defender ATP yet? Looking for good guides besides the official MS channels (for Win10 and iOS)
*Thread Reply:* Msft one is the pretty good. Check out Matt Soseman on YouTube he is really good at it.
*Thread Reply:* I've implemented it as POC on win10 for a customer
*Thread Reply:* Great. I will start the implementation of a POC for Win10 also in the next coming weeks.
*Thread Reply:* Any pointers or lookouts?
*Thread Reply:* Not really it's pretty straightforward
*Thread Reply:* Make sure to use the lab, when asked what types of VMs to spin up choose the highest number of VMs but for the shortest period of time. If I remember correctly it was 24hrs
*Thread Reply:* https://techcommunity.microsoft.com/t5/microsoft-security-and/security-community-webinars/ba-p/927888
*Thread Reply:* Also check this page for defender webinars
*Thread Reply:* Great thanks. Already checked out some videos from Matt Soseman. Pretty cool! Did you also deploy ATP baselines? There is pretty much a lot of stuff in there.
*Thread Reply:* Also my device is always „not compliant“.
*Thread Reply:* start with compliance policy , see what can cause this. Have you deployed baselines ? Could be something in there.
*Thread Reply:* No I have only deployed the compliance policy for ATP with risk level „clear“ - that is being flagged on the device. But in the security center there is no risk shown. Weird. Maybe something wrong with my image. Already wiped it once - same issue right after the enrollment
*Thread Reply:* Do you Mark devices with no compliance policy assigned as Non compliant?
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-get-started
*Thread Reply:* No devices with no Compliance Policy are marked as compliant - that default setting wasn’t changed
*Thread Reply:* https://docs.microsoft.com/en-us/troubleshoot/mem/intune/troubleshoot-policies-in-microsoft-intune
*Thread Reply:* use this to troubleshoot
Hello, is it possible to enable USB debugging on AE devices with a profile ? MSFT documentation states: “You don’t have to configure this setting because USB debugging is already disabled on Android Enterprise devices.” Client has USB debugging enabled in WS1 and wants to have the same enabled in Intune.
*Thread Reply:* That indeed seems to be the default behavior. You can also see a specific mention of “Debugging features are disabled” in the Android Device Policy app and there doesn’t seem to be a policy to enable it again. At least not at this moment..
*Thread Reply:* Is this not what you want? I have enabled this for a customers development team to troubleshoot a custom app of theirs
*Thread Reply:* I should have provided a bit more details. This is for the Personally-owned Work Profile (BYOD) enrolment type.
*Thread Reply:* You are absolutely correct! I missed that settings. After enabling it, it also works for (company-owned) Work Profile devices.
*Thread Reply:* But it’s not available for personal devices
*Thread Reply:* I guess that means if they want to debug enabled it has to be a fully managed of Corp owned work profile device.
*Thread Reply:* That is what it looks like. Sounds funny though that you have more options to break your device in a company owned scenario then in a personally owned scenario..
*Thread Reply:* Need to test if debugging can be enabled manually
*Thread Reply:* sorry i dont have a Work Profile setup device to test with, but surely you should just be able to go into the settings of the device and tap the build number a few times to enable debug options?
*Thread Reply:* Yes! Just verified. On a personal device you can enable the debug options by default. Also after enrollment. The note in the docs is probably referring to the default behavior on company devices.
*Thread Reply:* Do you know if users would be able to access work section via ADB ?
*Thread Reply:* I haven’t tested that yet..
*Thread Reply:* • Most of the activity manager commands available in the Android Debug Bridge (adb) shell support the --user flag, which lets you specify which user to run as. By specifying a user, you can choose whether to run as the unmanaged primary user or work profile. For more information, see ADB Shell Commands.
Hey all, Happy Friday! Anyone here able to comment on the benefits or indeed drawbacks for enabling SCIM for iOS devices within ABM?
Another question all, iOS user enrolment in Intune, does anyone have a decent use case for this? The fact it requires a managed apple ID to me means it is not suitable for BYOD scenarios?
It’s exactly useful for BYOD since the device is not enrolled (per se) Managed Apple IDs (MAID)n have nothing to do with the device. When enrolling I guess you always know your user 🙂 (=> Managed AppleIDs make sense)
*Thread Reply:* Thanks for responding Peter, I supposed the concern I would see is the fact that on a personally owned device personal data would be backed up to icloud using the MAID? I think I need to test more! My bad. But thanks again
*Thread Reply:* True. Device backups could be done into the MAID iCloud… But the user could also choose to have their own Apple ID for backup. The user is in control and can choose either AppleID. You can have two AppleIDs on a device (MAID + personal) when doing user enrollment
*Thread Reply:* Thanks Peter, it suddenly dawned on me that both can be used at the same time and I am now about to test it again. In that case then indeed! Useful for BYOD
*Thread Reply:* I should have reviewed @Peter van der Woude’s excellent blog post first! https://www.petervanderwoude.nl/post/federated-authentication-for-managed-apple-ids/
*Thread Reply:* Thanks @Leon ! More about User Enrollment is following this Monday!
*Thread Reply:* Awesome, I will for sure be looking out for it!
*Thread Reply:* @Peter van der Woude great post once again.
*Thread Reply:* BTW not sure if this is my browser or it is by design, but all pictures have “figure” label overlaid on them and that makes it a bit hard to read.
*Thread Reply:* Thanks @ZL ! You are correct. I have to figure out a way to make the overlay a bit less intrusive for smaller images. It’s not you, it’s me 😉
Anyone seen this when sending out a configuration Profile from Intune?
Profile only has the passcode configuration for easier access and the lock screen experience.
*Thread Reply:* My guess is that “Multiple notification settings/layout payloads” is tripping it up?
@Thomas Steinmetz has joined the channel
Hey folks, is there a way to prevent Intune admins from changing device ownership in device properties?
*Thread Reply:* Ok I found the solution, custom RBAC role does the job. Just had to wait for the change to propagate.
@Oskar Rodriguez has joined the channel
@Freek van Delft has joined the channel
Hey all, I’m trying to assign Work Profile password and Device password settings at the same time to the Corporate-owned devices with work profile device and only device password is enforced, work profile is ignore although reported green in device configuration section. is this by design?
*Thread Reply:* Is your work profile password set to Device Default? if so, it will take whatever you put as your device password policy
*Thread Reply:* alphanumeric for both , see my first screenshot
*Thread Reply:* http://eskonr.com/2020/11/the-case-of-unexplained-android-enterprise-work-profile-password-in-intune/
@Martijn Rijerse has joined the channel
Hi everyone, do some of you have a best practice how to use conditional access together with shared iPad? More specifically I am pointing at least to the CA option 'require device to be marked as compliant'. So far I noticed when a user signs in to an app/recourse that's behind CA, when working on a compliant shared iPad, CA still requires to enroll the device. I guess this has something to do with the fact a shared iPad is not marked as 'enrolled by user UPN: None'. Anyone?
@Massinissa Menas has joined the channel
Anyone been doing iOS user enrollments on Intune? I can enroll just fine with my managed Apple Id, but nothing gets pushed. No app, no profiles no nothing. I can see device in Intune and perform a remote lock and also sync. Suggestions?
I’ve assigned a few apps (VPP) to my test group and assigned them with user-based licensing both as required and available apps. Nothing shows on the device “no apps available” 😞
@Patrick Hogeboom has joined the channel
Hello there. What are the main differences between Intune and SCCM for macOS management?
*Thread Reply:* This is a very high level question, is there a particular problem you are trying-to solve ?
*Thread Reply:* A customer would like to test both solutions. I just wanted to know if there is a huge difference before testing.
*Thread Reply:* I think the question should be, “What is the long term strategy?” (Cloud first? Modern management? Continue to manage everything on-prem? Cloud identity?) and what are the security requirements. Based on that you can make a decision and it could be that neither is a good option and you need to implement Jamf.
*Thread Reply:* @JMartinez as far as i've seen its not a toggle in any vendor but could be wrong but this should be able to be controlled from a network level anyway. We can certainly not allow it on mobile networks in the UK but not sure if other countries have it this simple...
*Thread Reply:* No toggle for Android for sure. If supported by an OEM it would be via OEMConfig.
Does anyone know if it is possible to reset device password on a Corporate-owned device with work profile?
*Thread Reply:* It should be possible on Android 8-10 (Work Profile on Fully Managed Device), not possible on Android 11 (Enhanced Work Profile)
*Thread Reply:* how do you do that if you have work and device password set ? (Android 10)
*Thread Reply:* Depends on MDM… WS1 has separate actions for each - like Clear Work Password to clear Work Profile challenge only vs Clear Passcode if I remember correctly.
*Thread Reply:* Ahhh… sorry MEM channel… not sure if this is supported with Intune as they use Google’s AMAPI
*Thread Reply:* and AMAPI never supported the previous Work Profile on Fully Managed Device mode. So I would say not supported by MEM
*Thread Reply:* I am not sure on android, but for iOS devices if they are supervised by an MDM then you can reset the passcode via the MDM (assuming the device is on a network and can get the command from the MDM)
*Thread Reply:* Intune can only reset the passcode of the Work Profile.
What could be the cause of App Protection Policies not kicking in on iPads? They are enrolled via DEP with user affinity. We have tried rebooting, signing in and out of the apps, restarting the apps but to no avail. App protection policies are targeting all device types (both managed and unmanaged), configured for all Office apps and assigned to a user group containing the users that we test with. App Config for Edge (both for managed device and managed app) seems to be installed, but is not applied and when inspecting the app protection policy no devices have been hit by the policy.
Any thoughts?
*Thread Reply:* Do you have same behaviour on unmanaged devices ?
*Thread Reply:* Can you see values apply when you troubleshoot in Edge via about:intunehelp method?
*Thread Reply:* you can force app check in by reinstalling the app
*Thread Reply:* also see if you have more that one policy assigned to a user and it is causing a conflict in the “Troubleshooting + support” blade
@Michael Schiefele has joined the channel
@Mathieu Maillet has joined the channel
Does anyone know if the Exchange Connector also supports other products like Domino with ActiceSync?
*Thread Reply:* The connector supports Exchange Server 2010 SP1 and later. It’s not supporting products like Domino. Beside that the Exchange Connector is deprecated beginning July 2020. The new way is Hybrid modern authentication, but I don’t know if you have more luck there…
https://docs.microsoft.com/en-us/mem/intune/protect/exchange-connector-install
Hi All, i have created a Microsoft UserVoice to request Microsoft Teams App to have an option to be password protected using App protection Policies. As Teams becomes more and more in use for both internal and external use a few customers have asked whether this can be PIN protected like the Outlook app. Especially for BYOD devices. If you like the idea, please upvote it! https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/42752624-microsoft-teams-app-protection-policies-pin-re
*Thread Reply:* Ajay you should be able to do this now unless I'm miss understanding what you're trying to accomplish. We require a PIN as part of our MAM policy for all MS apps. So for our users after they launch Teams for the first time they get prompted to create a PIN and have to enter it after x amount of time of being out of the app.
*Thread Reply:* well this is what i thought unless i have it wrong it only seems to apply to the Outlook app and no other app
*Thread Reply:* ignore me you are correct! i'm going to delete the uservoice! haha
*Thread Reply:* lol I'm glad you got it working I was just about to go get you screen shots of ours 😄
*Thread Reply:* yeah it's just policy not playing ball today for some reason. My test iOS device wont even ask for a PIN to be set during setup!
*Thread Reply:* I read that an hear "come on managing mobile devices will be fun, you will like it" 🤣
*Thread Reply:* yeah i hear that! while i have you maybe you can help me with something else! Where can i set it so users can use face unlock/biometrics? It's enabled in the policy but i can't find anywhere to enable it to be used in any of the apps
*Thread Reply:* Umm I'm not a big Intune guy we are still exploring it as a replacement for WS1 long term but let me take another peak and see if I see anything
*Thread Reply:* @Ajay Patel is your issue with iOS or Android that its not working for biometrics?
*Thread Reply:* havent got round to testing for iOS yet but the screenshot i sent you above is Android and that is set to allow
*Thread Reply:* what is the actual experience im supposed to see? When i open the app its supposed to prompt me to use a PIN?
*Thread Reply:* Okay so on iOS you are probably good to go if you have that set the same. On Android if this is BYOD and you are using the Work Profile the user needs to go into and register work profile finger prints for the system to prompt for that vs the pin
*Thread Reply:* no BYOD just app protection policies! However i am going to go get myself a stiff drink and call it a day! i have 3 of the exact same devices in front of me and was using the wrong one for testing. This one didnt have any form of biometrics setup on it! Good Night!!
*Thread Reply:* Have a good one Ajay hopefully that stiff drink kicks in fast 😄
Hello everybody, was wondering if the following sounds familiar to somebody: Samsung devices (Android 9 and 10) enrolled in Endpoint manager using KME. Within KME selected 'disable all system apps'. The devices are enrolled as Corporate-owned devices with work profile, but after the whole enrollment you end up in the home screen and all system apps are still enabled? When enrolling Fully managed devices using the same KME profile results in all system apps disabled? Anybody?
*Thread Reply:* Most of the apps are available in the personal profile and not in the work profile. Also, I do see a difference in the available apps in the personal profile with that setting on or off, but it seems to be mainly some grouping and some Samsung apps.
*Thread Reply:* This is default behavior. In KME, with Intune, disable the system apps. Enroll a WPoFMD device > system apps will be installed on the personal profile, but not in the work profile. Fully managed devices basically have a Work profile only. Hence, all system apps are not installed.
*Thread Reply:* Strange though when enrolling android 10 device with same KME profile for MI Go does result in disabled sytem apps on “private” side. Is this due to MEM using AMAPI?
*Thread Reply:* Not sure why the behavior is different per MDM.
*Thread Reply:* Technically speaking, because Intune relies on the Android Management API, it’s not a Work Profile on a fully managed device. And yes that could be a reason why the behavior might be different..
*Thread Reply:* Thank you all, was expecting an answer in this context and specific related to MEM, but isn’t documented very well at Samsung and Microsoft.
*Thread Reply:* Yes, we’re checking MS Tunnel on our test tenant
*Thread Reply:* Got it setup in a lower environment, while it works it’s got some limitations on Android (could be that I’m a noob) where you have to manually enable the connection in the MS Tunnel app when you want to use the feature.
*Thread Reply:* @Scott Arndt when you create a VPN profile with Always-On enabled, the VPN will automatically try to connect (after the installation of the Microsoft Tunnel).
*Thread Reply:* @Anton I I’ve actually got one running in my lab at the moment. So if you have any questions, let me know..
*Thread Reply:* Yes, got it set up and it works brilliantly. It’s a shame it’s still in Preview.
*Thread Reply:* Thanks everyone. Did a quick test late last year in a lab environment as well.
I’m curious how you designed your load balancing and so on? Also, how have you set it up regarding sites in Intune and what kind of maintenance on the Linux server itself are you planning to do?
*Thread Reply:* @Peter van der Woude thanks, I’ll try this. Also, for split tunneling configuration I’m seeing some challenges with resolving public URLs, does a public DNS address need to be setup on the server configuration page for this to work?
Good Morning guys!. Are you guys having problem whit Knox OEM profile and Android Enterprise fully managed? Im trying to disable mac randomization and the OEM Knox profile on Intune allow it... but I have not been able to do it... . I guess right way to apply this config is: Set the OEM Knox profile and Knox service plugin to apply this profile
*Thread Reply:* Hello, you can disable mac randomisation with Knox Service Plugin for an SSI by deploying Wi-Fi with KSP
*Thread Reply:* Hi Florent! But not via Intune?
*Thread Reply:* you deploy knox service plugin as a managed app
*Thread Reply:* and configure it using the managed app configs.
During a PoC we’re blocking every device type to be enrolled using the default enrollment restriction, and are allowing only certain PoC groups to enroll via another separate enrollment restriction .
But we would also like iOS devices without user affinity to enroll via DEP/ABM despite this. Can this be solved?
*Thread Reply:* You could block personally owned iOS devices in the enrollment restrictions. For Intune every mobile device is personally owned unless they come from ADE or the corporate device identifier were uploaded.
So every device is blocked, except your devices coming from ADE. Does that fit with what you’re trying to do?
*Thread Reply:* @Nico Hermeling Does that only block iOS user enrollment or could you still enroll using device enrollment (but not choose company owned)?
*Thread Reply:* That should block device enrollment as well, where the user haven’t choosen company owned. But I haven’t checked that yet.
is it me or is the microsoft documentation wrong about using KME and leaving the JSON blank? How does it know which enrollment profile to use? I've defo used the JSON on all my other intune enrollments 🤣
Hi everybody, I have a question regarding Compliance Policies that target restricted apps. I added two iOS apps (App A and App B) to Intune, but I didn’t assign them to any group. I then created a blacklist policy for iOS apps, assigned the apps including bundle ID to it and then assigned it to all iOS devices we have. My own device that has one of the apps (App A) installed is telling me it is compliant, which is weird to me. The second app (App B) that is also part of that blacklist policy is always being detected by the policy and is notifying me about my device not being compliant as expected. I checked the bundle ID (for App A) and it is definitely correct, in fact on a second test instance of Intune the app is being detected. All the information is the same, but in my production environment it is not really working 100 % reliable. Is there anything that I’m missing here?
@Alexander Wendling has joined the channel
Hi all, I’m searching for a solution to deploy PDF files to an Android Enterprise device. Especially dedicated devices, but would love to find something for any AE type. The PDF files should be on the device for offline use. Any idea?
*Thread Reply:* What EMM? Some offer Content Library features where you can distribute offline content to a locker of sorts on the device
*Thread Reply:* Sorry, just saw the channel 🤦♂️:skintone2:. I thought I was in AE
*Thread Reply:* There is nothing native AFAIK but there is a uservoice you can vote on to get this higher up the priority list. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/9564453-push-encrypted-content-to-device
The other "workaround" could be to deploy OneDrive and the user can go and mark the files as available Offline. Someone could then manage those files centrally in OneDrive
*Thread Reply:* I was afraid of that. Thanks, Ajay 🙂
*Thread Reply:* So Intune doesnt support file system management in Android OR the ability to place documents within a document/content library of sorts?
*Thread Reply:* not to my knowledge anyway. It's about using the SharePoint and OneDrive apps to achieve that, however they haven't put controls in place like being able to force it to download offline etc.
*Thread Reply:* and no to the file system management
*Thread Reply:* I would think that OneDrive or Google Drive can fill the gap here depending on your organisation. We find it quite useful and currently don't see the need for a proprietary file management system. But as Ajay said, I don't see "Always Keep Offline" for OneDrive on WS1 as an option similar to desktops. This might be by design due to smaller hard drive space on mobile devices.
Hi. Looking for a way to see if / what devices my CA policy has been enforced on. The what if tool is not for that, troubleshooting has drop downs for other things Just not CA. Intune about help (in Edge) is not conclusive. Any ideas. Thanks
*Thread Reply:* Devices. And how /where do I see sign in logs. Thanks
Question: If I have a device that is actively listed in my DEP inventory and said device is retired/re-enrolled to Intune via User Enrollment wizard… is there a way for Intune to automatically classify it as Corporate?
*Thread Reply:* Never tested that scenario, but I would guess not. User enrollment always leads to employee owned as does DEP enrollment always lead to company owned
*Thread Reply:* So technically device is coming from source MDM (Enrolled via DEP) —> Retired —> New MDM (Enrolled via User enrollment). Not wiping and starting over.
*Thread Reply:* I would guess a list of known SNs + Powershell could change the owner to Company in a jiffy
*Thread Reply:* @Woody import device SNs to corporate device identifiers list.
*Thread Reply:* https://github.com/MicrosoftDocs/IntuneDocs/blob/master/intune/enrollment/corporate-identifiers-add.md
*Thread Reply:* I had that scenario and those devices were showing as “Personal” in Intune
*Thread Reply:* If you import S/N to corporate device identifiers list these devices will be marked as corporate owned even without DEP. Not sure right now if this applies post enrollment. I always did that before migration.
*Thread Reply:* Would be interesting to know how that impact devices after enrollment
*Thread Reply:* If not you can still use PowerShell to change ownership.
*Thread Reply:* But you can easily test it. You can add single S/N to that list manually via Endpoint manager console.
*Thread Reply:* @Ladislav Blazek Yeah, it only counts for pre-enrollment. I was doing some more reading last night.
*Thread Reply:* If you need to modify them post-enrollment it requires PS
Has anyone encountered a "Version not supported" prompt when attempting to sign into Company Portal? DEP iPhone that restored from a backup, so it received 4.6.0, current Company Portal version is 4.13.0... since user affinity is applied using single app mode, not sure how to get this company portal updated.
does anyone have any Graph API scripts or other ways of reporting on things inside EPM? The built in monitoring and reporting is absolutely diabolical! I've never dabbled in the Graph API's so would be willing to try get an understanding of these if anyone has any good reference points to start with.
*Thread Reply:* Here you go powershell-intune-samples.
*Thread Reply:* thanks @Jay they look great! do you by any chance know what permission is needed in AAD to create the Intune powershell connection? Just reading the setup i need to create an app registration in AAD that allows access to the intune Graph API but my acccount on one of my customers tenants is just an intune admin nothing more.
*Thread Reply:* pheeew, my co-worker got my account setup for me so I really can’t fully comment on that. I just know that you have to go to portal.azure.com, there you’d have to type in “App registrations” in the search bar on top, then go to “All applications” and in the search bar showed there you have to type in “Intune”. That will point you to “Intune Graphic API”. Clicking on that you can copy the “Application (client) ID” shown there. This is the ID you need to add in every script. But in regard of the permissions for your account I’m not sure what he changed, sorry.
*Thread Reply:* once you have that, somewhere in the script you have to add in your account UPN and IF you have the right permissions you should be able to run the script afterwards.
*Thread Reply:* thats fine i'll do some tinkering on my test tenant and see where i get to but thanks for the link hopefully they produce better results than what im seeing inside the web console...
*Thread Reply:* @Ajay Patel funny you mention this. Was on a call with a customer yesterday and he essentially said the same thing 😆
*Thread Reply:* oh its a joke! I have a customer's tenant who is showing a few hundred devices as out of compliance. However if you click on a device and check why its out of compliance, its all green ticks and in compliance against every parameter.
*Thread Reply:* that’s behavior that I keep seeing. I often have the feeling that the UI is way out of sync with what is actually going on with the devices.
Is there support for SSO with Intune on Android Enterprise devices for browser (edge or chrome). We have an On-Premise application where we need SSO. On MobileIron you have to use Hypergate, is this also mandatory for Intune or is there another approach?
*Thread Reply:* And there is no way with CBA?
*Thread Reply:* You can’t go CBA=>Kerberos to IIS (or other backend)… You can go CBA => IIS if both your app and backend supports CBA…. This is often not the case…
*Thread Reply:* Why not use Azure AD App Proxy? It is capable of KCD on the AAD App Proxy agent side.
*Thread Reply:* But how would you use Kerberos on Android devices without Hypergate? AFAIK Kerberos is not supported by Android.
*Thread Reply:* You will authenticate with Modern Auth on AAD App Proxy side. Kerberos Constrained Delegation will happen then on AAD agent side. It will basically do identity bridging from Modern Auth to Kerberos.
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/auth-kcd
*Thread Reply:* Hypergate is needed only for pure Kerberos on Android = when you use Per-App VPN and browser is accessing web app directly.
*Thread Reply:* @Ladislav Blazek could you automate the first part of this (User Sign-In) with the Modern SSO/Identity stored in the Authenticator app?
*Thread Reply:* You can use (MS) Authenticator if your apps are federated with Azure and not using Kerberos. Kerberos and SAML/OAuth/WS-Fed etc is not the same. Your app/backend determines which auth method to use
*Thread Reply:* @Peter Mohr so let’s say back-end app is hosted by IIS and accepts Windows Auth (Kerb/NTLM). Is there a way to invoke/automate the KCD for the user at that point?
*Thread Reply:* Or do they first have to auth at the AAD App Proxy or is there a config that can be pushed to automate that from a Microsoft perspective?
*Thread Reply:* if you’re running IIS with WIA (Negotiate) then your device needs direct access to your KDC’s (domain controllers) and can then use Hypergate with certs to auth
*Thread Reply:* OR you can publish everything over MS App Proxy with pre-auth and then do some Kerberos (constrained) delegation… You run Kerberos from APP Proxy to backend
*Thread Reply:* so if your users are validated in Azure (with Company portal / authenticator) you can do pre-auth and kcd
*Thread Reply:* @Peter Mohr that last bit is what I was hoping for
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd
*Thread Reply:* So to arrange the KCD between the App Proxy and the backend.. is that sort of similar to what we used to do with the MI Sentry/Keytab/Service Account?
*Thread Reply:* Okay, the more things change the more they stay the same (ish) 🙂
*Thread Reply:* the app connector service SPN needs rights to do KCD. this is similar
*Thread Reply:* Sweet. Very familiar with that aspect of things
*Thread Reply:* Awesome. Greatly appreciate you hopping back into this thread
*Thread Reply:* Oh, one more thing @Peter Mohr. Same approach for Android Enterprise devices in terms of Comp Portal/Authenticator apps and pre-auth?
*Thread Reply:* what do you mean? You can’t do pre-auth for CP/Auth login… That is doing the auth 🙂
*Thread Reply:* Sorry, I was thinking CP/Auth login was “pre-auth” since it was taking care of it in advance for the user
*Thread Reply:* @Peter Mohr Okay, so App Proxy in that scenario I was describing is not going to be feasible. A lot of their sites/services are not HTTPS and therefore cannot be accessed using that method.
*Thread Reply:* Is there a means to deploy the native iOS SSO config and pull a Kerberos Ticket from a KDC using Microsoft Tunnel?
*Thread Reply:* Just thinking it through. Seems back in the day there were issues pulling a ticket directly via VPN.. which was why that MI Kerb Proxy existed for awhile
*Thread Reply:* So if you’ve got Port 88 open from Device -->Tunnel --> KDC.. that would fly. Just trying to recall if the user has to auth or if there’s a way to automate that (in the MS realm) to get the ticket.
*Thread Reply:* If the Tunnel is using certs (don’t know if MS tunnel can do this) then you’re good
*Thread Reply:* should be able to since it’s per-app also which makes most sense with certs
*Thread Reply:* That’s my thought as well. Need to see how far they’ve gotten with the Tunnel appliance and FW rules.
I have a requirement that one user can have more than one device enrolled into Intune and those devices will have very different device configs. How can I achieve this in Intune?
*Thread Reply:* i might be over simplifying this but depending on how your existing policies have been setup (user groups etc) just create an exclusion group that includes that user and assign that to the policy you dont want them to have. Then create a new policy and group for the policy you do want them to have
*Thread Reply:* It's the other way around, two different configs have to be assigned to one user .
*Thread Reply:* Example. One kiosk iPad and one DEP corporate phone.
*Thread Reply:* or assign policies to devices and not users
*Thread Reply:* That's not going to work well due to the delay in device dynamic groups assignment during the enrollment.
*Thread Reply:* My exp with device groups is that they are a pain in the butt.
*Thread Reply:* As the user is the same, you will need device (dynamic) groups.
*Thread Reply:* Does the kiosk device really needs to be a personal (registered on that user) device? As it’s a kiosk device, those typically do not have to be personalized
*Thread Reply:* With iOS (DEP) devices you can assign different DEP profiles to iPhone and iPad. Then create dynamic groups based on DEP profile name.
*Thread Reply:* @Mark Vonk this is just one if the examples. The requirement is to have multiple build for single identity.
*Thread Reply:* @Ladislav Blazek that would be device dynamic group ?
*Thread Reply:* @ZL yes. But it works quite well for me. Maybe because profile is assigned to device S/N before enrollment (during sync with ABM)
*Thread Reply:* @Ladislav Blazek so it is not a dynamic group ?
*Thread Reply:* for example device.enrollmentProfileName -eq “profile name”
*Thread Reply:* How do you separate iPads from iPhones using DEP profiles?
*Thread Reply:* Creating a second DEP server and configure auto assignment in ABM based on the hardware type?
*Thread Reply:* aren’t they going to end up in one big device pile in Intune anyway after the sync ? I assume you would need to separate them somehow on Intune side.
*Thread Reply:* you create a second DEP profile in intune. Then assign the serial number of that device to the second profile within intune
*Thread Reply:* I think both options are valid and depend on your operational model. You can have 2 MDM servers in ABM corresponding to 2 Enrollment program tokens in Intune = you will assign devices in ABM. Or have multiple profiles under single Enrollment token in Intune and do the assignment in Intune.
*Thread Reply:* I’m in the process of configuring this in the lab. wish me luck 🙂
Has anyone experienced the “Guided access app unavailable. Please contact your administrator” error when enrolling iPhone to Intune with Apple Configurator 2.
*Thread Reply:* Not with AC2 but that’s what happened to me when I was enrolling and I had “Install Company Portal with VPP” set to “Use Token: xyz@contoso.com” in the default enrollment profile. The Company Portal app would usually take a few minutes to come down automatically, so I’d presented with that screen until the app installed itself and the user could type in the credentials.
*Thread Reply:* I can see the app dowloaded and installed , but then it gets stuck
Full Screen Web Clips… I’m pushing out a few web links to iPads that are enrolled using DEP. Some of them open in full screen whereas others don’t - Is there any way to control this? There is no setting available (that I’ve found) for utilizing this from the API that Apple has published here https://developer.apple.com/documentation/devicemanagement/webclip
*Thread Reply:* You can do it through Apple Configurator 2 and it’s the first setting in the Apple doc you’ve shared 🙂
FullScreen - If true, launches the web clip as a full-screen web app.
*Thread Reply:* I thought about that, but it would’ve been great to be able to do directly in Intune.
*Thread Reply:* Yes, indeed. Would be great to have this directly in Intune 👍
*Thread Reply:* But I keep forgetting the powerful backup workarounds you can do in Configurator 2 when Intune doesn’t support something :)
*Thread Reply:* File a feature request for InT, then create the webclip payload in AC2 and push it from inTune. Hard press MS for any feature missing from the console.
I would like to implement CBA for Outlook for iOS and Android Enterprise Work Profile (BYOD) with MEM. I found the following articles at MS Docs: https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-ios|Certificate-based authentication on iOS - Azure Active Directory | Microsoft Docs https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-android|Android certificate-based authentication - Azure Active Directory | Microsoft Docs But both articles doesn’t describe how to configure Outlook App Configs in MEM. Does anyone know how to set up CBA for Outlook on iOS and Android?
If I would like to disable enrollment of all platforms, for all users, but allow everything for a small PoC group - how should this be set up in enrollment restrictions?
I first thought that I can block everything in the default profile, and then create a new, assign it to the POC group and allow everything. However, it seems that if a platform is blocked in the default enrollment restriction, it won’t let anyone in at all.
Can anyone please shed some light on this kind of confusing logic? 🙂 Thanks!
*Thread Reply:* Have you checked the priorities? Which one is the default device type restrictions?
*Thread Reply:* Yes but it’s the logic I can’t figure out
*Thread Reply:* it says that the default restriction has the lowest priority, and that devices must meet the highest priority
*Thread Reply:* So I should be able to allow everything for a specific group on prio 1 and then block everything in the default policy.
*Thread Reply:* What platforms are allowed for the POC group?
*Thread Reply:* And what exactly has you configured for the POC group? Are personally ownewd devices allowed or blocked?
*Thread Reply:* Basically all platforms is specified as allowed in the PoC group, even personal device enrollment.
*Thread Reply:* But if you were given the task to block everyone/all platforms, except for a small test group where everything should be allowed - how would you set it up? 🙂
*Thread Reply:* I would set it up the same way. I was asking because I will try to reproduce it on my test tenant.
*Thread Reply:* should be as simple as you mentioned. Block all platforms on the default restriction. Create a new one with only the group you want to allow. Any new one should take priority over the default. If you were then to create a 3rd one, you could then toggle the priority between the user created ones only.
Does anyone know if there is an app config policy for Edge on IOS (MAM-WE) to force desktop view by default?
This might be a little off topic, but our plan is to use Intune MDM, no other O365 service - YET.
Question regarding external routable domains with O365: Our users all have the same UPN with an external routable domain like company.com. BUT we have like 60 different external routable domains for the primary SMTP of the users. My question is: I will need to register not only the domain of the UPN, but also every single Domain of the primary SMTP with O365, right? Our users will logon with the UPN, not the Primary SMTP. I know it is recommended to have the UPN match the SMTP..
*Thread Reply:* Someone feel free to correct me if im wrong, however if your mail is staying on premise and not migrating to Exchange Online i dont see any reason as to why you need to register your domains. If all you want is a user to be able to login to Azure/MEM then just the primary domain should be sufficient.
*Thread Reply:* Thank you - that is what I thought! You know how it goes - after one year they might consider using some other services and then the UPN mismatch will be topic of discussion again! And headaches of course! 😜
Android 11 - Outlook requires activation of Device Administrator… Android by default doesn’t support this from Android 11 and forward, so Outlook can’t apply the account - at least when testing in COPE scenario. It works fine if adding the profile manually. I would expect this to be an exchange policy of some kind, but I’m not sure what to look for and where. Has anyone tested this?
Does somebody know how I can install a .p12 file onto an iPhone using the configuration profiles?
*Thread Reply:* What’s the use case? Just installing it to the key store so it’s trusted?
*Thread Reply:* Lol, yeah worked out. Had a .p12 file that a user wanted to have on specific devices to have it in the key store. He gave me the file and since I’m still new to MEM I couldn’t find a way to put that on the phone using the certificate templates that were available. I ended up loading the .p12 file into Apple Configurator 2, saving it as configuration profile and then making use of the custom template since I could upload a configuration profile into that.
*Thread Reply:* Haha. I have accomplished several of these type tasks with configurator. Another one that comes to mind is web clips. Those you will also have to do in configurator
Hi all, question about shared iPad and webclips within MEM. I am trying to deploy webclips to a shared iPad, but always shows as deployment status 'failed' (guess a UI thing) in MEM. However the webclip is available on the device. When hitting the webclip on the device it opens in Edge (checked require managed browser), but almost immidiatly the iOS messsage pop-ups 'Action not allowed'. It is not documented, but I am doubting whether these webclips require a user enrolled device. Anybody some ideas/tips?
*Thread Reply:* I’m pretty sure you’ll need a user on the device when you want to allow for opening up opening up content from outside (potentially) app protection policy protected apps - what you see - I guess- is the lack of an app protection policy telling Edge that it is allowed to open up content from apps outside the APP container. Unfortunately you won’t be able to add Edge configurations either without a user.
Are you testing with guest users or managed apple users?
*Thread Reply:* Hi TGR, thanks for your reply. It really looks like an APP message. However regarding weblinks there are no requirements specified like APP applied. Besides APP requirements for weblinks makes no sense right? Testing with AAD federated users and local ABM users.
*Thread Reply:* Webclips is supported on the user channel on Shared iPads for business
*Thread Reply:* And user channel profile support is still not live on MEM I believe
*Thread Reply:* https://support.apple.com/guide/mdm/shared-ipad-payloads-mdm05daf6e79/1/web/1.0
*Thread Reply:* Unfortunately Microsoft mentioned these webclips are possible on shared iPads: https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-shared-ipad#add-apps-on-shared-ipads
Can we use Knox Mobile Enrollment for Work Profile Enrollments with Intune? EDIT: ok found the answer - this is not supported with Intune.
*Thread Reply:* You mean with KME and Work Profile?
*Thread Reply:* Ok thanks.. will check it out!
*Thread Reply:* Microsoft Endpoint Manager uses the Android Enrollment profile Corporate-owned devices with work profile.
Knox Mobile Enrollment – MDM Profile
Android 10 - Work Profile on Fully Managed Devices – WPoFMD Setting Value MDM information Let MDM choose to enroll as a Device Owner or Profile Owner Custom JSON Data (as defined by MDM)* {"com.google.android.apps.work.clouddpc. EXTRA_ENROLLMENT_TOKEN":"*"} System applications Disable system applications
Android 11 - Work Profile on Fully Managed Devices – WPoCOD Setting Value MDM information Let MDM choose to enroll as a Device Owner or Profile Owner Custom JSON Data (as defined by MDM)* {"com.google.android.apps.work.clouddpc. EXTRA_ENROLLMENT_TOKEN":"*"} System applications Disable system applications
Result: · All system apps will be installed on the personal side of the device
· No system apps will be installed in the Work Profile.
**The enrollment token can be found at Device > Android > Android enrollment > Enrollment Profiles > Corporate-owned devices with work profile > View enrollment token > Token
*Thread Reply:* Mark, isn’t the token for both scenarios that you lined out the same within Intune? But I need one profile for Android 10 and one for Android 11 right?
*Thread Reply:* I believe it works with the same token for both 10 and 11
Is there support for Google Zero-Touch with Work Profile? Because Fully Managed with Work Profile is still in Preview! 🤮
*Thread Reply:* Not sure if it supported with Intune, but beginning from Android 10 zero-touch and work profile deployments should be possible: https://developer.android.com/work/versions/android-10
*Thread Reply:* I’m also wondering why Intune still shows this as in “Preview” 🙄
*Thread Reply:* I believe it is in stable preview, i.e. all known bugs documented.
*Thread Reply:* probably going to hit GA some time soon
*Thread Reply:* Yes and in the meanwhile there is no support!
*Thread Reply:* what do you mean there is no support?
*Thread Reply:* If you need a support case with Microsoft you will be out of luck!
*Thread Reply:* I’m helping a client to migrate Android devices from WS1 to Intune and I logged tickets and all got resolved. This is public preview not private.
*Thread Reply:* tickets related to Corporate-owned devices with work profile build
*Thread Reply:* That is news to me that they support Preview features - good to know.
PFX / PKCS Profile deployment is working for iOS devices, but for Android Enterprise Work Profile devices the PKCS profile still shows PENDING within the Endpoint Manager Admin Center. The root certs (of Root CA and SubCA ) have been successfully deployed. Anything special for Android within the PKCS profile?
Hi, coming from Workspace ONE I always had the possibility to reassign configuration profiles to devices if something was wrong without having to reenroll the whole device. In Intune I don’t see any possibility to have that done if the profile seems to be malfunctioning. Am I overseeing something here or is there really no way of reassigning a single configuration profile on a device (Android in this case)? Would be great if somebody could share their experience on how to solve this issue.
*Thread Reply:* This is one of my biggest annoyances! Only workaround is if the profile has been assigned via a group. Create an exclusion group with the user in it. Let it apply then remove the exclusion
*Thread Reply:* same again for app deployments etc
*Thread Reply:* Wow, there is no other way of doing this? My case is a Wifi profile on Android showing EAP - PEAP Phase 2 MSCHAPV2 even though the profile should set it to EAP - TLS.
*Thread Reply:* I agree with Ajay this is my biggest grip with Intune (I have plenty others as well) I have to pull and reapply profiles fairly regularly when testing and troubleshooting in WS1. I'm not looking forward to our switch to Intune and losing this functionality.
*Thread Reply:* I’ve always been doing that on WS1 and that helped solve most of the issues. Not having this functionality on Intune is one of the worst things….next to not having an actual history log of what the device is doing.
*Thread Reply:* agreed Julio. I used to do this on a near daily basis for troubleshooting and testing. Other biggest gripe is the ability to not be able to do this on an app. When an app install fails, just press the install button in WS1 and 9/10 times this resolves the issue. Can;t do this in intune
*Thread Reply:* Exactly! The tools that Intune offers or better does not offer are making my life so much harder when it comes to troubleshooting. With WS1 I thought that I understood how MDM works, but Intune has me questioning my abilities on an at least weekly basis.
*Thread Reply:* you could of started a uservoice (https://microsoftintune.uservoice.com/forums/291681-ideas) but Microsoft decided to stop using the platform and instead are using their own platform but will migrate to it product by product
Okay all you Intune gurus I know at least one of you knows the answer to this so please help me out. In order to leverage MAM with the Outlook app you don't actually need to be on Exchange Online do you? While we do plan to move some staff to Exchange online over the next year the vast majority of users will be on Exchange 2016 so is it still possible to leverage MAM for the Outlook app while also leveraging an on-prem server and if so what do I need?
*Thread Reply:* No application protection policies work regardless of the Exchange environment. Just utilize Intune APPs and do not forget to push a Outlook app configuration with the IntuneMAMUpn key. The only issue you might have is some form of conditional access.
*Thread Reply:* Thanks @Mark Vonk I was assuming that was the case but wanted to make sure as everything I saw online keep referring to Exchange Online. I'm assuming once we have the hybrid connector in place we should be good to go but I'm waiting for my Exchange Team to get that up and going. If we can leverage MAM vs a full enrollment that will make our end users happy and speed up our transition off WS1 over to Intune while making it as simple as possible and since really mobile email is the only thing we need to lock down (well that and teams) at this point MAM seems like the best approach for now as we can always move to full enrollment down the line if something comes up that requires it I suppose.
*Thread Reply:* this is what I did for a customer transitioning from WS1 to intune. We just went down the MAM route and applied the app protections to all Microsoft apps (as thats all most users in this case need anyway on their phones)
Has anyone had luck pushing a VPN (Cisco AnyConnect in this case) to a shared iPad (and had success getting it to connect)? I think this is another issue where Intune is defaulting to User Channel and the profile isn’t being accepted/interpreted correctly when the device is in Shared mode. Same profile works fine on individually assigned device.
*Thread Reply:* Basically trying to determine if Microsoft has implemented User Profile/Device Profile selection/assignment (like VMW)
Did anyone successfully manage to somehow disable randomized MAC on Android devices? Maybe with a custom profile, anything?
*Thread Reply:* You can add WiFi config with Knox Service Plugin on Samsung devices and disable Randomized MAC for each SSID
*Thread Reply:* do you have a link to documentation for that and is there also a way to do this for Pixels?
*Thread Reply:* This is only fo Samsung devices
*Thread Reply:* https://docs.samsungknox.com/admin/knox-service-plugin/advanced-policies.htm#Wi-Fi
Hi folks. I’m usually assigning everything to User Groups, but I need to assign the majority of things to Device Groups for this client. Is there anything that should NOT be assigned to a device group for iOS devices because it would not work?
*Thread Reply:* here is Microsoft's take on it.
*Thread Reply:* user groups are always quicker and cleaner in my opinion. but the rule of thumb i guess is below If you want to apply settings on a device, regardless of who's signed in, then assign your profiles to a devices group. Settings applied to device groups always go with the device, not the user.
*Thread Reply:* App protection policies only support user groups.
*Thread Reply:* basically I have a requirement that one user can have more that one device/build/device restrictions
*Thread Reply:* I don’t see any other ways that to assign controls to device dynamic groups based on builds
*Thread Reply:* dynamic groups will be based on device category
@Adedoyin Adewodu has joined the channel
Anyone using Defender for iOS? On supervised devices, I’ve been pushing the “issupervised” app config as well as the new custom Web Content Filter Profile, but the app is still adding the VPN profile as well. After this we have seen some strange issues. Haven’t been able to get a good response from MSFT on this. My guess is that the VPN profile should be disabled if you enable “issupervised” and push the Web Content Filter only, not both of them.
*Thread Reply:* @Anton I i believe the profile that you can download and deploy is for Anti-Phishing its not used for Content Filtering on URLs i believe. I have the two hand in hand on my test tenant and everything seems to be all okay. What issues are you seeing?
*Thread Reply:* Just as the “VPN” profile that is standard for Defender, I believe that the “content filtering” profile is just another, maybe improved way of filtering URLs and provide Phishing protection. They (MTD vendors) tend to use either the VPN, DNS or Web filter API’s to do this. Not that they use the profile as normaly intended, just that they use that specific API.
The issues we’re seeing is that normal sites like google is being blocked etc.
*Thread Reply:* It seems like if you lock your device with a google site running, and then come back and unlock it some time later, the URL is marked as “phishing”
Hi, I know I already asked something about this topic a couple days ago, but I have another question about randomized MAC on Android Enterprise devices. Is there a way to change the stored Wi-Fi Mac in Intune after the user manually changed the settings to “Use device/phone MAC”?
Anyone seen where a Web Link (aka iOS WebClip) that has “Require a managed browser to open this link” (into Edge) says: “Action Not Allowed” and it won’t let the handoff occur? Said URL opens perfectly inside Edge itself. It’s just the hand-off from WebClip to Edge that’s acting up
*Thread Reply:* I have seen this , had to sing-in to the edge browser with corporate identity. Haven’t had time to look into this yet as on a low priority list.
*Thread Reply:* do you have MAM policy that require Edge browser for corporate data?
*Thread Reply:* @ZL Thanks for the tip. I don’t believe so in terms of the MAM policy requiring Edge for Corporate Data.
*Thread Reply:* “New web clips (pinned web apps) on iOS devices will open in Edge for iOS and Android instead of the Intune Managed Browser when required to open in a protected browser. For older iOS web clips, you must re-target these web clips to ensure they open in Edge for iOS and Android rather than the Managed Browser.”
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge#deploy-app-configuration-scenarios-with-microsoft-endpoint-manager
*Thread Reply:* Okay @ZL. I got a little more context. This config was created as “Managed Apps” instead of “Managed Device” That said, I think what you said is accurate in regards to MAM territory. These guys don’t use MAM.. so is it best to create the same config as “Managed Device” and re-deploy?
*Thread Reply:* I don’t think it is going to make a difference.
*Thread Reply:* I just checked and I don’t have App protection Policy configured to require to open corporate data in Edge
*Thread Reply:* Does your Web clip specify that it has to be opened in a managed browser? And you say you have no protection policies around Edge?
*Thread Reply:* Yes it does says that I need to open it in managed browser.
*Thread Reply:* I am struggeling for already a month now with Microsoft what is happening on this exact same issue, but they still have no clue. So for now I created a webclip in Configurator which works fine, but isn't ideal.
*Thread Reply:* Is your clip configure to open in the managed browser?
*Thread Reply:* Gotcha! Yeah, I’ve had several items that had to be created in Configurator.
*Thread Reply:* The clip I’ve got is set to open in Managed Browser ATM.
*Thread Reply:* @ZL Wait. You said Mystery Solved?
*Thread Reply:* I think I misread your initial question. I’m going to test the behaviour and get back to you.
*Thread Reply:* @ZL , just curious, did you already test this?
*Thread Reply:* hey sorry I haven’t had time to test this yet.
How can I see user certificates on Android Enterprise Work Profile devices? (Deployed via PKCS) I can see the Root Cert, but I cannot see the user certificate, but I can recall that this is normal.
*Thread Reply:* It should appear in user credentials
*Thread Reply:* I only find „user certificates“ in the settings. There I can see the FindMyMobile certificate, but not my user certificate. The certificate was issued on the PKI, the PFX connector also shows the request under success. Where is that setting that you are pointing out? I am on Android 10. Hasn’t there been a store app that shows my certificates?
*Thread Reply:* Never used it, but noticed in the past on Reddit that Microsoft seem to suggest using 'My Certificates'.
*Thread Reply:* User certificate often means user imported ca
Good Morning. I need you opinion guys : Is Intune a good EMM for manage Rugged devices from Honeywell , Zebra, etc?? Thank you very much Example: (Skorpio X5 , Thor VM1A , CK75)
*Thread Reply:* Slight bias here but I would say not.. there are other vendors who have better support and reputation with Rugged devices. WS1 and Soti come to mind.
*Thread Reply:* @Celestino Cortés Bustos - It depends on your use-case, but I tend to agree w/ Jay here. Soti MobiControl and WS1 are great products for Rugged devices.
*Thread Reply:* The biggest downside of Intune for those device is not having the direct file placement feature. Everything esle id say is fine. If you don’t need direct file placement, Spin up a test tenant and see if you can achieve your requirements.
*Thread Reply:* If you already consuming MSFT license that has Intune included it is worth the test .
*Thread Reply:* NO!! It’s terrible!
*Thread Reply:* SOTI and WS1 (with a relay server) are the way to go
*Thread Reply:* Intune only supports the “new way” of doing things like OEMConfig and Managed Play
*Thread Reply:* SOTI and WS1 support those options too but they give you more granular control over direct APK installs outside of Managed Play and direct file placement
*Thread Reply:* Managed Play has improved over time but is still no where near the point of properly supporting mission critical environments where app version control is paramount
*Thread Reply:* Thank you very much to all
*Thread Reply:* @Matt Dermody A tricky question : If you have to choose between Avalanche 6.3 or Microsoft Intune to manage this kind of devices which one you would choose??
*Thread Reply:* That is a bit tricky. Matt may have more insight here, but my 2 cents would be Avalanche for your use-case being rugged, locked down, etc.. Avalanche does a good job at rugged legacy stuff.
*Thread Reply:* They're also part of Ivanti these days and they have another UEM product as well.
*Thread Reply:* @ninex Yep, Ivanti bought Mobile Iron makes me wonder what will happen to Avalanche
*Thread Reply:* I thought I had heard that, thanks for confirming. Its certainly something I would ask if I were engaging w/ them as a new customer.
*Thread Reply:* That is really tough, but I’d have to also say Avalanche
*Thread Reply:* We moved our customer base off of Avalanche to SOTI when Zebra/Motorola started transitioning away from Windows CE to Android and have never looked back.
*Thread Reply:* But if you told me that I only had the option of Avalanche and Intune I would go with Avalanche for Rugged Android
*Thread Reply:* Of note, the last I checked the “Smart Device” licenses for Avalanche are separate from the legacy windows devices so if you have an existing Avalanche environment you’re hoping to repurpose for Android devices then you’ll be looking at a net new licensing purchase
*Thread Reply:* at that rate you should just put those licensing funds towards SOTI and be confident you have the right tool for the job
*Thread Reply:* and don’t be distracted by the “free” cost of Intune wrapped up in Office 365. A free screwdriver is worthless to you if you really need a drill
*Thread Reply:* Thank you very much for your time and knowledge @Matt Dermody @ninex .
*Thread Reply:* @Matt Dermody That drill comment got me. Best Intune comment I’ve seen yet! I’ll be borrowing it 🙂
*Thread Reply:* lol, i've already told so many ppl. haha
*Thread Reply:* Glad yall enjoyed it! That was made up on the spot!
Has anyone had any issues with assigning device password controls to a device group? Mine is failing to apply. When I assign the same policy to a user group, it works as expected.
*Thread Reply:* Client has a use case where one user has more than one device type/build associated with them. For example, “User A” can have “Device Build A” and “Device Build B” type of device issued to them. Both builds have distinct device restrictions profiles. Instead of assigning device restriction profiles to User Groups, I’m now assigning device restriction to Device Groups to accommodate this request. The problem is that when assigning device restriction to Device Groups, some parts of the device restriction profile would fail to be enforced, specifically all controls associated with password complexity and history requirements. See the screenshot in the attachment. I observed the above behaviour on Corporate-owned Fully Managed, and Corporate-owned devices with work profile. iOS devices are unaffected by this issue.
I’m also looking for alternative suggestions that do not involve Device Groups to accommodate this requirement.
just in case anyone else encounters the same issue as me! If you want to disable MFA during enrolment with MEM make sure you exclude the Intune and Intune enrolment from within your existing MFA conditional access policy. If you create a separate policy this wont work! An hour of my life i'll never get back 🤣
*Thread Reply:* this is why you have “What If” tool, makes debuging a breeze
*Thread Reply:* yes i remembered that half way through and got me thinking it can't be separate!
*Thread Reply:* also one thing to bare in mind is this only takes effect if you are using Azure MFA and conditional access policies and not enforcing MFA per user
I need to support a customer with Exchange online who has not enabled modern authentication yet, so until this is enabled the Outlook app cannot be used. I have been evaluating either to support this requirement with; Android - Gmail app iOS - built in mail client (ultimately no coverage for App protection policies in this scenario) or Ninework for both Android and iOS (app protection coverage in this scenario but I havent used the app previously)
Anyone in a position to comment on ninework at all?
Also to add, I am aware that for Android there are built in email profile options for both Gmail and ninework however wherever possible I would like to achieve the configuration via the app config channels due to being bitten in the past with the built in gmail profile. In fact the last I worked with this there was no way to removed this profile from an enrolled device and required the whole work profile to be removed and re added
*Thread Reply:* any reason why they haven't enabled Modern Auth? If it wasn't for Covid, Basic Auth would have been disabled by now so would have thought they would have started to consider their options. Either Way Nine is a pretty nice email client. If it's only temporary, would probably say stick with the gmail client (using app config) and default iOS client.
*Thread Reply:* Something they havent had confidence in enabling in the past, it is scheduled in the near future but I am trying to bypass it as a blocker for getting thier mobile devices onboarded. Thanks for your input, seems that way will be the best. No support for app protection policies but then that will be all the more reason to have modern auth enabled ASAP
*Thread Reply:* you wont achieve app protection on iOS without Outlook i believe even Nine dont have this yet last time i checked so either way its not going to happen...
*Thread Reply:* Indeed you are right mate they do not, only support for Android (the main bulk of the customer's estate)
*Thread Reply:* its a form of "App protection" anyway on Android. Doesnt give you the DLP stuff that app protection can do for Microsoft Apps but guess its a pretty decent halfway house
Hi, Is it possible (in “Corporate-owned devices with work profile - Preview”) to open up the Play Store in the personal profile and still have the Play Store in the work profile limited to the apps that I have pre-selected? I can’t really find the toggle to do that, it looks like it is either or.
*Thread Reply:* Nevermind, it does work, it just takes some time.
"Company Portal or Microsoft Intune app" which one of this 2 are you guys using to enroll Personal devices whit work profile ? There is any difference between this 2 ?
*Thread Reply:* you will need the company portal app. The Intune app is used for Device Owner or Dedicated devices
*Thread Reply:* Thank you very much @Ajay Patel
*Thread Reply:* in case you ever need the reference doc its detailed here
Shared iPads & Conditional Access?
We have set up Shared iPads with Managed AppleIDs and everything but we’re hit by our conditional access rules that require devices to be managed. They ARE managed, of curse, with Endpoint Manager but only one/first user can login to Company Portal and the guest account and other users can’t access any resources protected by CA policies.
We discussed if we could exclude our shared devices from the CA policies, but they apply to users only?
It seems that this case is not supported by CA/MEM (yet) - What are you guys doing for Shared Devices?
*Thread Reply:* sorry if this is a silly question or im maybe misunderstanding but wouldn't you want any guest users to not have access to corp resources unless they authenticate? So your guest access can't do anything unless its an actual user signing into the iPad?
*Thread Reply:* Your description just matches the limitations of shared iPad within Endpoint Manager. At this stage there is no good solution to fit CA with shared iPads. https://docs.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-shared-ipad#known-limitations
*Thread Reply:* True. Guest (or next/second) users should still login with username/password inside the apps they need (Outlook/OneDrive/Teams/etc..) but right now they can’t even login because the “device” is not registered to THEM. The device is under management and the first user who logs in can register device in Azure with Company Portal app and login to Outlook/OneDrive/Teams, but the secondary users can’t do that because the device is already registered for user #1… So no login possible for them
*Thread Reply:* @Tim thanks. Yeah - did look at that too… I just don’t get why/how we can use Shared iPads with Intune then…
*Thread Reply:* Just wondering how did you manage to enroll the first user within the company portal anyway? Did you enroll the shared iPad without user affinity?
*Thread Reply:* Yes. device enrolled without user affinity and first user logs in with managed apple id. Opening Outlook and prompted for Comp Portal App. User logs in and everything works… User logs out; next user logs ind and can’t do anything…
*Thread Reply:* Ok strange, tested a slightly different scenario a while ago. Pushing the company portal to the device and signing in with a user. But not very surprising this enrollment fails because there is already a management profile present on the device.
*Thread Reply:* Well we have configured Comp Portal as a shared device with app config
*Thread Reply:* Interesting. was not aware of this possibility, do you have a .docs page about his?
*Thread Reply:* Second option: <dict> <key>IntuneUDAUserlessDevice</key> <string>{{SIGNEDDEVICEID}}</string> </dict>
*Thread Reply:* note says: The user signing in to Company Portal is set as the primary user of the device.
Following, we have put the idea of using shared device on ice, both on similar reasons as you mention and due to the complexibility with roasting information and integration with ASM.
bugger. I’ve had great(er) success with Shared Devices on WS1… Intune seems to lack a lot of functionality still in this area
Hi, I’m trying to setup Knox Mobile Enrollment with Intune, using a Samsung Galaxy Xcover Pro with Knox version 3.7.1. I created a MDM Profile in the KME dashboard and assigned that to the device. In Intune I have also created a profile for Corporate-owned devices with work profile. After factory resetting the device and starting the setup process, the device never seems to receive any information from KME. The same setup with a Pixel 4a and Zero Touch configured works without any issues. What I find to be weird is the fact that in the Intune documentation I can find “https://aka.ms/intune_kme_deviceowner” as MDM Agent APK, while KME itself sets a different URL (https://play.google.com/managed/downloadManagingApp?identifier=setup) automatically when selecting Intune as MDM. I tried both, with the same result. Am I missing something in the setup that is Samsung specific?
*Thread Reply:* For WPoCOD configs in MEM you need to choose 'let MDM choose' in stead of 'force device owner'. In particular in case of Android 11.
*Thread Reply:* Okay, I already tried that one but it didn’t work that’s why I tried the “force DO”. Will change that again.
*Thread Reply:* @Jay, Just wondering if there are already results in your Samsung case about this issue?
*Thread Reply:* Nope, still waiting for a good response. Samsung asked for logs, but also said that the issue could be that my console is registered on an US server (headquarter of the company is in the US) and the device I’m trying to enroll is EU/UK based. That could pose an issue since outside US devices wouldn’t communicate with the US servers and the other way around..?! I asked them what would be the proposed solution, since this scenario will be way more common moving forward.
*Thread Reply:* @Jay, thank you for replying. Please keep me updated about this matter, interesting to know what's happening.
*Thread Reply:* So, as expected EU devices can not communicate with consoles in AMER. Details:
“Dear Julio
Thank you for your time.
From the logs we can see that countryIsoCode=de, so the device is, in fact, a European model. The solution for them is to have two consoles, one for US devices and one for EU devices. You can create the account with any address located in Europe so the console will accept all European devices. * * The article that you are found is informative:
“Based on the country you select during Samsung Knox registration, your KME/KC Admin account is linked to the appropriate server. For example, if you selected US as your country during KME/KC registration, then only devices from the Americas can be enrolled through this account.” ** https://docs.samsungknox.com/admin/knox-mobile-enrollment/kbas/kba-398-profile-device-country-do-not-match.htm**
Best regards, Christian Samsung KNOX Support”
Did you assign the KME profile to your devices (in KME Portal) ?
*Thread Reply:* if its not even going through the KME Enrolment then this sounds like a possible network issue. Is the device even attempting to connect to KME servers once it gets a Wi-Fi connection or just going straight through to the next page?
*Thread Reply:* After connecting to Wifi and me pressing “Next” it takes me to the next regular screen saying it is checking for updates. On the Pixel with Zero Touch it would take me to a screen that informs me about the device being a company device and then proceeding with the steps needed for that.
*Thread Reply:* then this sounds like possible network issues. If you are on an office wi-fi i would try tethering from another device or use an unrestricted Wi-Fi to test?
*Thread Reply:* Remote working, I’m on my home wifi. I’ll try it with mobile data, have only tried it with Wifi so far
*Thread Reply:* Did it with mobile data now and skipped wifi, it goes to “Checking for updates”, then “Getting your phone ready” and then “Copy apps & data”. Again looks like it didn’t communicate with KME.
I am not sure if the Intune token is needed, in your KME profile, for this. Check docs.microsoft.com/en-us/intune/enrollment/android-samsung-knox-mobile-enroll the part for custom json data
It is part of the config, still my device doesn’t receive that info.
I tried enrolling it with the QR Code that holds the same token and that works without any issue. It looks like the there is no communication between KME and the device.
Device Writeback via AAD Connect - does this also include iOS and Android or is this only supported for Windows?
@Jay perhaps the jsontext line in your kme profile is not right. Check this on jsonformatter.org/json-viewer to verify it. What option did you check for your kme profile: let MDM decide or force DO?
*Thread Reply:* Tried “Let MDM decide” first - didn’t work, so I changed to “Force DO” - same result.
*Thread Reply:* The JSON Data window is doing a json check itself, so if something is off it shows it there. It returns “Invalid JSON format” under the text box.
*Thread Reply:* During setup after that you do not see any KME related screen? Are you sure the correct device is shown in the KME portal?
*Thread Reply:* No, I don’t see that screen. Yes, that was one of the first things I did, double checked the IMEI and SN multiple times.
*Thread Reply:* That’s weird. It seems the device is not connecting to KME at all during the setup I would suggest opening a case with Samsung If you go the samsungknox.com and login you can open a ticket
*Thread Reply:* Thanks, that’s what I also thought, opened a case with them an hour ago. Will see what they’ll say about this
so a customer has Android Work Profile enrollment restrictions blocked in their portal (they are using App protection only for BYOD users) but users can still sign into the company portal and create a work profile then after that they get told they cannot enrol their device. Is this the correct behaviour others have seen?
*Thread Reply:* Hey I feel like I encounter the same issue. I hope I am not mistaken. I get the following message when trying to configure the work profile in Company portal. I think there should be some kind of depreciation in the API level for this application which impacts the device policy android app.
*Thread Reply:* I would be thrilled if anyone could help with this. Thanks in advance guys!
Stupid question time... how do I block users from downloading Company Portal and enrolling personal iOS devices? We want to restrict to DEP enrolled devices only. I have disabled personal iOS devices in the enrolment restrictions, but am still able to enroll non-DEP. What group should I assign the enrolment restrictions to?
*Thread Reply:* check if the priority is configured correctly and give it some time to propagate
*Thread Reply:* if you tested immediately after the change , give it some time and try again.
*Thread Reply:* unless you want to restrict only specific users, then a custom user group must be created
*Thread Reply:* Thanks. It's working now, I think I just had to give it time. That is one of the most frustrating things about Intune when coming from the WS1 world... groups are so slow.
*Thread Reply:* It's not a very user friendly experience though, just says "Profile Installation Failed"... oh well.
Shared Device Mode for iOS devices - has anyone had success with this (https://docs.microsoft.com/en-us/azure/active-directory/develop/msal-ios-shared-devices)? It seems that neither Outlook nor Edge are supporting this feature yet. Are there any iOS apps that do support it? So far I’ve only been able to log on to Teams which gives me sso with Safari, but when signing into another users account in Teams, you have to manually sign out of safari to be able to sso with the new account… The feature was documented by MS more than a year ago - I’m surprised they haven’t implemented any of it in their own apps? I would at least expect it with Edge… Right now it seems pretty useless 😞
*Thread Reply:* @TGR Shared iPad support is pretty basic at this point with Intune/Endpoint Management. I think we should start a shared KB that lists all the shortcomings.. and there are plenty at this point.
*Thread Reply:* @Woody I’m talking about Azure AD Shared Device Mode on iPhones and not Shared iPad - I will be testing that also though 😉
*Thread Reply:* But I totally agree that a shared KB on those scenarios would be great - I’ve seen a few threads on it already, so it’s definitely of interest for quite a few of us 🙂
Anyone deployed a trusted identity cert (just a singular CA entity) to the Computer Store of a W10 machine via Intune/Endpoint? It shows as a success… but I can’t find the cert installed in any of the stores.
*Thread Reply:* I’ve done this in practically every other MDM I’ve worked with. For whatever reason when you manage Microsoft with Microsoft things just get cray cray 😜
Hi, I have a question regarding integrating inhouse apps into Intune. Did somebody ever try to integrate Microsoft App Center with Intune?
*Thread Reply:* App Center has API available. I have some automation setup w/ a different EMM, but you can use Jenkins to grab code from your repo that goes out to app center, gets the .apk and passes it to the EMM via API. I've not tried it w/ Intune/MEM yet, but it's a good thought. I'd be interested in knowing if they have a simple integration considering they're both MS tools.
*Thread Reply:* I’m currently going through this document and it looks like there is a way to link it without any additional tool in between. At some point it states “A connection to Intune Company Portal has now been set up. You should see a store with the name provided on the Stores home page. The connection is valid for 90 days for an application in App Center.” I wanted to know from somebody who already might have done this if that means the connection has to be renewed every 90 days or did I misunderstand something?
has anyone made the switch/tested using the new Modern Auth iOS Setup Assistant pages instead of using the Company Portal to authenticate? I
havent got round to playing with it but by the sounds of it, can certainly help with the annoyance of the guided access issues that lots of people face with the Company portal enrolment.
*Thread Reply:* not tried it yet but was on my list for the next couple days. really excited for this!
*Thread Reply:* @Ajay Patel are you talking about the Customized Enrollment? Where it loads a custom auth page as part of Setup Assistant?
*Thread Reply:* @Woody yup pretty much this. Microsoft were just late to the game as usual
*Thread Reply:* @Ajay Patel Roger that! Agree, will be nice coming out the gate enrolled and not having as much dependency on the Comp Portal.
If people are noticing any issues with EPM today, see attached service health
*Thread Reply:* it could possibly just be affecting UK infrastructure
If a customer wants some web links deployed on iOS devices, what's the best way of doing this? If we use the web link option, you cannot specify an OS type and the links get deployed to their Windows devices if the user is targeted as part of the assignment. Android is easy with the managed play store but can't figure out a way for iOS only.
*Thread Reply:* Did you try it going to “Apps > iOS/iPadOS > Add > Weblink”?
*Thread Reply:* yes this is how they were created but if i deploy them to a user group, if the user has a Windows device also it gets installed on there too.. I'm trying to come up with a dynamic device group that could target the O/S and the specific use cases for these devices but can't get anything to marry up with the available property types
*Thread Reply:* ideally i need a dynamic group based on what configuration profile is installed but that doesnt seem to be an option 😞
*Thread Reply:* what if you create something based on the enrollmentprofilename?
*Thread Reply:* no because all the devices are enrolled under one enrollment profile as the sign in steps are the same across all users but what gets delivered after they have signed in is different
*Thread Reply:* so if i wanted to go down that route, i would need to re-deploy all the iPads to these users again 😞
*Thread Reply:* Create web clips with the Apple Configurator and add those to a custom config. Only way to exclude Windows.
*Thread Reply:* thanks @Mark Vonk - did think about this but a lot of work for just a few web clips. Also no easy access to a Mac at the moment either (they are in the office and im at home). The customer will just have to deal with it for the time being. It's not like they are web links that are holding critical information so if anyone see's them its fine for now. It only adds them to the start menu on Win10 devices as well not the desktop or anything so not the end of the world
*Thread Reply:* you can create a dynamic device group including all iOS devices and assign the web clip to that
*Thread Reply:* You can’t mix device and user attributes though
*Thread Reply:* So if you want to assign it to a subset of users, a device group can’t be used
*Thread Reply:* yeah i don't want all users to get it just a subset of users which the only difference between them is that these users have a seperate configuration profile assigned to them
*Thread Reply:* True, you’d either have to assign based on all iOS devices or a certain user group
*Thread Reply:* the users are based on a user group but we jsut end up going round in circles if the user has more than one device i.e. Windows Laptop and iPad. Since you can't mix and match user and device groups.
*Thread Reply:* @Ajay Patel, might the new filter feature work for this?
*Thread Reply:* @Tim - i started reading this last night and didnt get round to finishing it but it does seem like this could be extremely useful!
*Thread Reply:* i've just turned it on and played with it a little and it has the Enrolment Profile Name as the filter so does the job nicely!! Finally getting somewhere with decent assignments!
If a user wants to see his appointments that are in the calendar of the Outlook app in the iOS calendar, is that something that has to be allowed in the App Protection Policies or is that just a setting I can’t find in the Outlook app? Similar to the “Save Contacts” functionality in the Outlook app that allows exporting contacts into the iOS contacts app
*Thread Reply:* this is only an Android feature currently. I think this is due to the same limitations on iOS with the one way sync on contacts if you were to update/add new ones on the local calendar it wouldnt sync back but im just having a guess.
*Thread Reply:* the only way to achieve this i believe is push out an activesync profile with just the calendar but not an ideal scenario
*Thread Reply:* I thought the same, but user is adamant that they had it setup in that way before they had to turn old phone in for repair.
*Thread Reply:* you sure they didnt just setup their emails in the native mail/contacts/calendar apps without you knowing?
*Thread Reply:* that is disabled, they’d need a profile that allows that and in order to get that profile they’ve to be in a specific group we have, which that user is not part of. that’s why I was thinking if there is another way of doing that
*Thread Reply:* just to be sure perhaps check in the device section in their Exchange mailbox and see if you see an iPhone listed quite recently. That would be my first port of call to check
*Thread Reply:* If you only see Outlook then you're fine and user must just be not realising that they are using the Outlook app perhaps. Wouldnt put it past users to get things wrong 😂
*Thread Reply:* how can I check the exchange part? not sure if I have access to that segment to check🙄
*Thread Reply:* You will need to be an exchange admin at the very least . Log into the Exchange Admin centre > Recipients > find the user > Click View Details on the right hand side under Mobile devices and see whats listed in there
*Thread Reply:* yeah, don’t have that permission, but thanks for explaining 🙂 will inform the user that this is currently not enabled.
Hi. Setting up android corp work profile for the first time. It’s taking more than ten minutes to set up from the time I scanned the qr code. Is that normal? It’s not appeared in the console yet. Thanks
*Thread Reply:* it should not take that long. on which screen it got stuck ?
*Thread Reply:* Using afw#setup seems quicker. Thanks
*Thread Reply:* Do you still get the device in COPE mode when you use afw#setup?
*Thread Reply:* I get the long waits too during ‘Registering Device’ - testing with KME.
*Thread Reply:* I’m not using kme. My understanding is that’s for fully managed device. In my case I think it’s a device issue.
*Thread Reply:* I would assume a device issue as well, especially if the test device is not a high end device. I've seen some issues with enrollment on low spec devices in the past. Often times it helped to restart the device once it got stuck and they would automatically continue where they left of.
*Thread Reply:* KME works for COPE, Fully managed and dedicated, but for COPE on Android 11 you need to configure it to let the EMM device wether to use Profile Owner or Device Owner. If you set it up to force Device Owner, the device ends up as fully managed - this is not the case on Android 10 though…
What are thoughts on enforcing security software on byod?
*Thread Reply:* Forcing an install of lookout security for eg on a personal device. Is that the norm on byod
*Thread Reply:* Jamsy I know I've heard of some in here leveraging lookout or MS Defender but I think that really comes down to your user base and what they are willing to let you do. BYOD is a pretty touch and go thing on one hand you have to feel like your protecting your corp data on the other hand you can over step since the device is owned by the employee.
*Thread Reply:* As an admin I like the idea of doing it since we a big BYOD shop as well but as an end user I would not be very thrilled if I wasn't the guy running the MDM and understanding how it all works. Thankfully our leadership/security team as not wanted to force that out as I suspect a lot of our end users would be very upset by it.
*Thread Reply:* Would you users be ok with installing corporate apps on BYOD?
*Thread Reply:* Not sure what country you from, but in the UK, you will be lucky if users accept installing MFA client (Microsoft Authenticator) on their devices.
*Thread Reply:* Well to be fair ZL the UK is a special place right now when it comes to user privacy 😄 I think if the powers that be over their got their way BYOD would be dead.
*Thread Reply:* Thanks all. Yes ZL users are happy with corp apps on their devices. Just wander how UK corporates see it. Do the usual dlp / app protection policies suffice or is security software installation a best practice?
Hello, did someone successful installed Intune PKCS Connector ? I have weird error saying that it cannot establish a secure TSL connection (I run .Net 4.8)
*Thread Reply:* @Florent N. is this when you are running the installer? Or when it is attempting to bind with Azure or the CA?
*Thread Reply:* I successfully installed it and it appears in the console with green dot.
*Thread Reply:* The error came from the Event Viewer
*Thread Reply:* Did you already sign in as admin after installing the application? During which step you get stuck? https://docs.microsoft.com/en-gb/mem/intune/protect/certificates-pfx-configure#download-install-and-configure-the-pfx-certificate-connector
*Thread Reply:* It is installed, signed-in and use the correct service user.
*Thread Reply:* When I deploy the pkcs config Intune return an error after check-i'
*Thread Reply:* Sometimes we get an error saying that it was not able to create an ssl tunnel in event viewer
*Thread Reply:* We also had an error saying bad key usage and sometimes we saw that adcs issue certificates but still in error in Intune
Hello, Outlook App with Onpremise Exchange Account, no search possible in the global address book, is this not supported by the outlook app (with exchange online account works)? Thanks
Hey, is anyone managing Hololens devices with Intune ?
@Martijn Rijerse has joined the channel
Has anyone experienced this? We enroll iOS devices via ABM. After the device was enrolled and all relevant apps and configs have been pushed successfully to the device, after restarting the same device the setup assistant pops up like the device has never been setup before.
*Thread Reply:* Hi, I see this on a device (also ABM) that I’m using for a pilot of the setup with modern auth. Thought that I messed something up. Glad that it’s not only me. Do you also use modern auth or regular enrollment?
*Thread Reply:* Hi.. you mean in the ABM profile within the Endpoint Manager Admin center?
*Thread Reply:* In Endpoint Manager yes exactly there. Do you have “Authentication method: Setup Assistant with modern authentication (preview)” selected?
*Thread Reply:* Right.. no I am not using this one
*Thread Reply:* Okay, then it has nothing to do with that and seems to be a general bug
*Thread Reply:* Will you be opening a ticket with Microsoft about this?
*Thread Reply:* Not sure.. anyone else here experiencing this?
*Thread Reply:* did you disable the screens in either DEP profile or with a config payload later?
*Thread Reply:* We disabled some of the setup screens in the DEP profile.
*Thread Reply:* For Authentication we have selected Legacy
*Thread Reply:* We disabled “Terms and Conditions” and Diagnostics Data”, no config payload, “Setup Assistant with modern authentication (preview)” is our Authentication Method. Opened a ticket with Microsoft.
*Thread Reply:* We have opened a ticket too - lets see who has the solution or at least an information faster. 😜🤞:skintone2:🤞:skintone2:
*Thread Reply:* I was asked for infos, will also provide them with a video showing how that looks 😄 Will keep you posted 🙂
*Thread Reply:* Great :iloveyouhandsign::skintone2:
*Thread Reply:* Did you raise the ticket within the Endpoint Manager or are you a Premiere customer/partner and you openend the ticket there?
*Thread Reply:* Within Endpoint Manager, but I also think we are Premiere Customer, since the mail sender is called “Microsoft Premier Support”. (Fairly new to the company, hence the not sure^^)
*Thread Reply:* Right.. we just found out there is a huge difference in quality.. Premiere being the better way!
*Thread Reply:* @Jay - is this your issue at all?
Enrollment is completed once the user lands on the home screen, and users can freely use the device for resources not protected by Conditional Access. User affinity is established when users land on the home screen after the setup screens, however the device will not be fully registered with Azure AD until the Company Portal login. The device will not show up in a given user's device list in the Azure AD portal until the Company Portal login. That additional Azure AD login to the Company Portal app fully completes Azure AD registration.
*Thread Reply:* No. My device is fully enrolled. I do modern auth during the setup wizard and then when on the home screen I finalize the enrollment in the Company Portal app. Device is compliant and visible in MEM and AAD.
*Thread Reply:* And when you restart you land right into the setup wizards? Can you skip the wizards?
*Thread Reply:* Yes and no, I can not skip them. Have to go through them each and every time.
*Thread Reply:* Any progress yet? Nothing on my end
*Thread Reply:* Hey, sorry, forgot to reply the other day. I’m currently in exchange with support, I shared logs of my device and screenshots with them. Screenshots because I do see a difference in behavior of the device depending on what DEP profile (in Enpoint Manager) is assigned to the device. The behavior only occurs when I have the profile with Modern Auth, which is still in preview, assigned. If I use the regular method where the device would be assigned to the method with Company Portal as authentication method this odd behavior is not happening. Let’s see what they’ll reply to that.
*Thread Reply:* I deleted the profile and recreated it with the exact same settings, works like charm now. It looks like there was something corrupted in the profile. Still testing and rebooting multiple times but so far all good.
Random question. Any of you know if MAM-WE would work if assigned to a guest account (assuming we can assign the Intune license to a guest account) and what would be the behaviour on the devices if Company A and Company B both assign a MAM policy to the same device?
*Thread Reply:* No policies from Intune will be enforced on guest user devices: https://techcommunity.microsoft.com/t5/microsoft-intune/app-protection-for-guest-users/m-p/280777 This is to circumvent licensing issues and also multi tenant policies being applied.
*Thread Reply:* Awesome, thx for confirming Mark
*Thread Reply:* Follow up question. What if a user has an account (not guest, but actual account) with company A and company B, and both company have a MAM policy. What happens on the device when the user switch accounts in Teams or Outlook?
Hi, do you know how to automatically assign SCOPE Tags to devices based on User criterias? for a Large Organization which has more than 100 divisions, they need to create to be able to restrict admins of each division to only see their devices (iOS). in Workspace ONE they used to use Grouping with RBAC. Now in intune we can use Scope Tags but there is no way i know to add scope tag to device based on which User Group the device belong to. Device Dynamic group only take device criterias. User Dynamic Group or Security group could work but assigning a scope tag to a User Group does not restrict the view of the devices… only way I see is API for now (Device Categories or type of DEP enrollment profile cannot work as it involves a manual action from the user or the admin). Thanks for your help
*Thread Reply:* Same situation here, I did not find a solution at the moment
*Thread Reply:* got it confirmed by MSFT, no way in the portal to do that. Script with Graph API is the way to solve this
Hi all. I am seeing some fairy hefty install times on lower specced devices (Samsung J3, J4 and A20e) for COPE in Intune, almost twice the amount of time it takes to enrol the device into Fully Managed. Has anyone else experienced this too? Im just trying to understand whether its the devices, the COPE feature or indeed, well both
*Thread Reply:* COPE or work profile is always slower in my experience. Probably due to the fact the device is separated in two profiles instead of one profile. Specs do matter do, the process is a lot faster on high end devices. But sometimes I do see longer install times on high end devices. Not sure why, probably some combination of factors.
*Thread Reply:* Thanks Mark. As a bear minimum spec I always recommend at least 32GB on onboard storage (Particlularly prevalent in the Personally-Owned Work Profile scenario as the enrolment takes up around 7GB of space) and 3GB RAM.
I hadnt taken CPU into consideration on top of this, what are your thoughts?
Hi, I’m trying to implement S/MIME for a customer in Intune. I’ve followed these guides from MSFT https://docs.microsoft.com/en-us/mem/intune/protect/certificates-imported-pfx-configure https://github.com/microsoft/Intune-Resource-Access/tree/master/src/PFXImportPowershell
It worked, but I do not want to import each certificate individually for each employee. Does anybody know a script which imports certificates to Intune? Haven’t found anything on Github for that.
Why are not apps showing up in Company Portal when set to Required? Is that by design? It only says ‘No apps available’ iOS-app (VPP - device based), Company Portal is also managed app
*Thread Reply:* Required installs them but doesn’t also show them in the Company Portal app.
*Thread Reply:* If you want to see Required Apps in the Company Portal app catalog, then you’ll need to use the “Available for enrolled devices” assignment as well.
Anyone who is struggling with group assignments, take a look at the new MEM filters feature https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/use-microsoft-endpoint-manager-filters-to-target-apps-and/ba-p/2333342
*Thread Reply:* I am shocked that this wasn’t already there.
*Thread Reply:* Still somewhat limited though. Was trying to target a configuration profile on supervised devices only, but that is not available yet as a filter. Only enrollment profile, but some devices that have that enrollment profile are not actually supervised. In general it is a really welcomed addition, but it needs some additional attributes.
*Thread Reply:* @Mark Vonk you could have targeted to corporate devices & to os type = iOS.
*Thread Reply:* There are corporate iOS devices that are not supervised. Hence, I could not use that.
*Thread Reply:* I see. Was there a number of controls that you had to apply or one specific control ?
*Thread Reply:* could you apply to all devices and non supervised devices would just ignore it?
*Thread Reply:* also I’m curious how come you have non supervised devices with a DEP profile ?
*Thread Reply:* Two: an app configuration and a custom profile. The custom profile which needs supervision, will be skipped. The app configuration not though as it is not that smart. The app will see the configuration but not act upon it because of the lack of supervision. As for non-supervised devices; you can enable/disable supervision in enrollment profiles without user affinity. So it happens in some tenants that a corporate DEP device is not supervised. Bad luck/circumstantial/by accident
*Thread Reply:* Can you mix user and device properties? Like member of this group and OS?
Hi All, generally I have only used the Microsoft Authenticator app within the personal profile of an Android Work Profile device, however I was thinking if it was indeed a valid use case to deploy one within the work profile? How do you generally approach this?
*Thread Reply:* perfectly valid in my opinion if the customer uses MFA and you want to push the app out to users. I believe you can only have it setup on either the personal or work side and not both (not that you would want that anyway)
*Thread Reply:* Thanks Ajay, yes was my understanding too - one or the other
*Thread Reply:* I push it to WP at SM. Generally advise not to put any personal MFA there also because I can only assist in recovery of the corp accounts should compliance issues lead to a WP lockout.
Hi Guys, who you guys are dealing when a device Enrolled (Android Enterprise Corpored Owned) take ages to download App assigned via Intune (managed play store). Normally forcing sync whit Android Device Policy and Microsoft Intune App resolve the problem, but recently is not working that much. Any suggestion?
*Thread Reply:* if you are pushing out the apps using dynamic device groups, this usually takes a lot longer than when using user groups. If you have the ability to test (or use a new app) assign a user group and see if this pushes it out quicker than a dynamic device group
Is there any sort of formal ITAM offering inside Intune/Endpoint Manager? Outside just device objects and their basic details?
just an FYI - Microsoft is having some issues with Android Enterprise Enrollments for certain regions due to a customer enrolling a very large sum of devices causing issues in that regions infrastructure. They haven't specified which region this is affecting, however if you notice any failed Android Enrollments then this could possibly be why.
*Thread Reply:* 740k Samsung devices rolling out according to news
Is anyone using Cisco Jabber for Intune with Intune MAM policies?
Hey guys, which remote control are you guys using and how do you deal whit the remote licenses? In my case we are giving support whit a demo version vnc remote viewer (Shame). Im asking this because we are are searching for an professional solution. (Android Enterprise)
*Thread Reply:* Teamviewer QuickSupport - works a treat for us
*Thread Reply:* Hi Ajay , which kind of devices are you using whit that remote control (Dedicated, Fully Mannaged , Work profle...)
*Thread Reply:* all types of devices across various customers. mainly fully managed, but it works well with dedicated and work profile too.
*Thread Reply:* thank you very much
*Thread Reply:* @Ajay Patel, never experienced black screens when opening work apps, no matter here Teamviewer is installed?
*Thread Reply:* Ok, interesting did you make specific settings to make remote support using Teamviewer available? In the WP and WPoCOD scenario we noticed this black screens when using samsung devices.
Hey Guys, Is anyone facing an issue where the phone says guided access not available, please contact the administrator. It is only been observed on the new iPhone SE DEP while enrollment.
*Thread Reply:* has this device been added manually to ABM or has it been in another ABM before ?
*Thread Reply:* Isn’t that usually what happens on a new DEP device when you enroll and you have set “Install Company Portal with VPP” to use VPP (in the DEP profile in Intune) and the Company Portal app hasn’t come down to the device yet?
From my experience if you wait a few moments it works, but the message is misleading yeah
*Thread Reply:* Yes, that's how it should work. Found the issue was with the Company portal app License.
@Robert Schafer has joined the channel
Nice write-up on Intune/Endpoint Manager iOS/iPadOS Shared Device mode by @Peter van der Woude https://www.petervanderwoude.nl/post/getting-started-with-shared-device-mode-for-ios-devices/ 👏:skintone2:
*Thread Reply:* Thank you 🙏
Has anyone ran into issues with enrolling iOS 15 into Intune via Automated enrollment, we are seeing ‘Invalid Profile’
*Thread Reply:* Funny, same issue here. Trying it since an hour and running into the same issue.
*Thread Reply:* “Profile installation failed - The payloads in this profile do not have unique identifiers”
*Thread Reply:* I opened a MS case, let me know if you find any workaround or if this is a known issue
*Thread Reply:* Sure. For now I’d flag that in the feedback app.
*Thread Reply:* Beta OS versions typically aren’t supported (MS is pretty slow on that side). But the same is typically true for WS1 and other UEMs. (Would usually require an update / new version of Company Portal app / agent to support the OS changes in major ‘dot’ releases once GA’d)
*Thread Reply:* With the current beta I was finally able to enroll my device
I’m looking to manage Hololens2 devices with no user affinity in kiosk mode and with Autopilot automated MDM enrolments. Any ideas what would be the cheapest license or license combination to achieve this ?
Autopilot requires Azure AD premium P1 as a minimum, and you will need to get an Intune license too. Might be worth looking at the EMS license as a bundle.
*Thread Reply:* Where did you find that info? Don’t see that under “What’s new in Microsoft Intune”
*Thread Reply:* @Jay where did you find this? I’m not able to find it
*Thread Reply:* @brob Tenant Administration > Tenant Status > Service Health and Message Center
*Thread Reply:* It’s hidden, yeah as @Ajay Patel said you’d have to go to Service Health and Message Center and look for the post on the 2nd of July.
*Thread Reply:* this is possibly going to make some noise as presume affects Intune managed and 3rd party integrated MAM via Graph API
anyone experiencing extremely slow installs for apps on any devices enrolled into endpoint manager today? Pushed out a few apps and typically they hit the device within 10-15 minutes but its been over 2 hours and only 1 app has downloaded and the others are not even in the managed play store yet
*Thread Reply:* Yes and i raise an support case but in the end it seems to be Google Play store problem and Microsoft kindly suggest you to raise a case whit them...
Hi all, at one of our customers i’m trying to import .p12 certificates into Endpoint manager. I’ve done quite a bit of research, but haven’t been able to find a solution to push these certificates without the PFX connector. I did find a way to distribute the .p12 files using a ‘Custom configuration’ with an Apple Configurator 2 profile attached to it. I’m wondering if there is an easier / quicker / better solution to my problem. Has anyone encountered this before and found a solution for it?
*Thread Reply:* The certificate isn’t being distributed by their own CA. Its a certificate from a 3th party.
has anyone deployed Android Based Team Room Systems on intune? If im reading the requirements correctly it has to use DA instead of Android Enterprise... Surely that can't be right? - Have a customer that has a CA policy that states anything accessing corporate resources has to be enrolled. When going through the enrolment it just fails to sign in and can't see any issues in AAD. The sign in attempts are all passing the CA policies in place. The only thing left to think of is that i need to enable DA in this environment (fairly new environment so not enabled)
*Thread Reply:* I've been trying to get me hands on one for this very reason
*Thread Reply:* yeah trying to get Poly to send me one to test with!
*Thread Reply:* side note - it was the customers CA policy blocking the enrolment of this... and it does indeed enrol as DA
What are the odds that Microsoft will update Microsoft Tunnel to run on Docker for Windows? 🙂
*Thread Reply:* theoretically you could get this to work with WSL... The question intrigued me so i did some googling and you could potentially get this to work using the below https://docs.docker.com/docker-for-windows/wsl/
*Thread Reply:* Yeah, i may have to do some playing. Linux experts are in high demand on my side, and it would result in a much quicker turn around for a pilot test.
*Thread Reply:* id love to test this just dont have the environment for it. And our business wouldnt do it as they have no need for it
*Thread Reply:* i've got two apps that need tunnel service; this is the last piece stopping me from moving completely to Intune.
Customer is setting up MS Tunnel but with no public IP (runs via Azure Application Gateway instead). We don’t get the Tunnel to work on devices, could it be that Tunnel server needs public IP or could it work via Application Gateway?
*Thread Reply:* The Tunnel server must be publicly available with a public IP, DNS entry and trusted certificate chain.
Hey folks, does anyone know if it is possible to extract device hashes used for autopilot from the current tenant and migrate to the new one ?
*Thread Reply:* With this graph api u can get the hashes. And then u import them with csv. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide
*Thread Reply:* Hi Bram, the link provided is for the safe attachments.
*Thread Reply:* My bad, reread the api call, but it doesnt get the hardware hash. The best way would either be to create a powershell script and deploy it on the old tenant. Then with powerapp or azure functions, or powershell itself. Let the device register itself in the new tenant. Example can be found here https://msendpointmgr.com/2019/06/29/microsoft-graph-intune-fun-create-flow-connector-for-autopilot/
*Thread Reply:* Just dont forget to remove the device from autopilot in the old tenant before migrating to the new one
Hi folks. So in WS1 and SEG you have the email attachment security feature which saves (if downloaded) the attachment and secures it in the Content app. Is there an equivalent setting in Endpoint Manager (OneDrive i expect as the equivalent) and is there any additional requirement? Thanks
*Thread Reply:* Ms has safe attachments for exchange. But this is on server level not the cliënt. https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide
*Thread Reply:* Thanks @Bram Dc the feature I’m looking for is that mobile device users are, when trying to download a mail attachment, the attachment doesn’t just download to local storage or anywhere else but is secured and forced to open in a Content app eg one drive. Thanks
*Thread Reply:* Hey jamsy, that is configured trough the app protection policy's. In your case its for outlook and restrict the downloads of files only to onedrive and/or sharepoint
How would you go about whitelisting certain models of iOS and Android devices (not OS) with Intune MDM?
*Thread Reply:* you can achieve this with using the new filters option.
more info here if you havent used them yet https://docs.microsoft.com/en-us/mem/intune/fundamentals/filters
*Thread Reply:* Thanks @Ajay Patel, exactly what I was looking for. Didn't have the preview feature turned on in the tenant so hadn't seen it.
Should it be possible to see what apps the user has installed on the personal side of his device when the device is enrolled as corporate-owned with work profile in Intune?
*Thread Reply:* Nope you can’t, that is the whole point of this management scenario.
*Thread Reply:* Clear segregation between corporate and personal data and information.
*Thread Reply:* Yeah, I assumed that, but thanks for clarifying
Hi. Anyone tried to deploy apple beta configuration profile via MDM ? I am thinking about a easier way for some iOS beta testers to enroll in beta just by installing the profile via MDM instead of telling them the way to manually enroll in public beta program. Due to the encrypted mobileconfig file I believe there is no way to do that, right? #iosbetas #microsoftendpointmanager
Hi all, what’s the main benefit of enrolling as corporate owned fully managed user device other than the device being automatically assigned/associated with a user? Are there any policies or capabilities you would miss out on if enrolled as a dedicated device instead? (e.g. conditional access)
There are some scenarios where it may be beneficial for us to enroll as a dedicated device even if the device is associated with a certain user.
*Thread Reply:* It's up to the use case. Dedicated devices is for scenarios where you don't like to associate a device to an user like kiosk mode or only allow a limited set of apps.
*Thread Reply:* Fully managed are bound to an user obviously. You can also allow a personal space to install everything employees want (COPE).
One capability are compliance notifications via email. You can't send an automated compliance notification to the enduser of a device in dedicated mode, whereas you can on Fully Managed.
*Thread Reply:* @Daniel thanks for the response above. My apologies for the extremely late reply slack didn’t tell me there had been a reply and I completely forgot about it.
When I apply App Protection Policies to devices that are already enrolled and the apps are already installed, setup and running, how can I get the apps to checkin so the APP is actually applied to the device? From what I saw so far, APPs only apply themselves the moment the user does the login process to the app, if applied later it just sits there and waits for the user to login again.
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/apps/app-protection-policy-delivery
*Thread Reply:* This might help to clarify things.
*Thread Reply:* @Jay - i've experienced the same thing i believe you're seeing. On our actual tenant when we enabled APPs it took my device a few days before the policy hit the existing apps but new downloads it applied straight away. iIn the doc that @ZL gave, the note section is what to look out for.
*Thread Reply:* Hey guys, thanks for clarifying. My colleague yesterday also told me that within 24 hours it should checkin and see the applied APP.
If you set an app assignment to “Uninstall” how long does it usually take for the device to be removed if it doesn’t happen immediately? 24 hours? If I go into the device details and go to “Managed Apps” I can also see that the app is still installed even though the resolved intent field shows “Required uninstall”. The device did the regular sync (last one 30 minutes ago) and the assignment was made exactly 2 hours ago now. Is the check for installed apps one that happens separately from the regular device check in?
*Thread Reply:* You can force the sync VIA powershell
*Thread Reply:* Restart-Service IntuneManagementExtension
*Thread Reply:* Thanks, I can also do that through the console, also almost immediately pulls of the app. What I’m trying to understand is in what intervalls the device is checked for the intent?
*Thread Reply:* make sure you have not only added the user/devcie to the uninstall assignment but also to exclude user/device from the REQUIRED section
*Thread Reply:* Yeah, that’s what I did before. I removed it from the “Required” assignment and waited an hour before I added it to “Uninstall”.
*Thread Reply:* The hour was just to make sure there is no overlap, that’s not necessarily needed.
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/configuration/device-profile-troubleshoot
*Thread Reply:* No need to wait , just do both at the same time.
*Thread Reply:* “Devices check in with Intune when they receive a notification to check in, or during the scheduled check-in. When you target a device or user with an action, then Intune immediately notifies the device to check in to receive these updates. For example, when a lock, passcode reset, app, or policy assignment action runs.”
*Thread Reply:* So it basically should check in immediately after I change that, other then that the regular check in cycle is 8 hours.
*Thread Reply:* Looks like it, but test and verify as always.
*Thread Reply:* also this https://www.petervanderwoude.nl/post/windows-10-mdm-policy-refresh/
@Jay interesting. It usually happens at the next scheduled MDM check-in with Apple.
The MDM is at the liberty of Apple to relay and carry out the message on the device.
So if MEM queued up the uninstall command but it isn’t being relayed… that’s most likely an issue on the Microsoft side
Not really MEM, but are there any slack workspaces/channels for Defender for Endpoint out there?
Was somebody able to make the SSO extension for Apple work? I’m currently testing and have it setup according to the article from @Peter van der Woude. It is working in the Safari browser on the iPhone, but the apps that I have that also use SSO (Slack, Zoom, Global Protect and a LoB app) are all ignoring this and I’d still be prompted with the SSO screen. Somebody with similar issues?
*Thread Reply:* Any reason why you are using Redirect instead of the pre-defined AAD SSO extension type?
*Thread Reply:* I tried the AAD option first, since it didn’t give the result I expected I shifted over to redirect.
*Thread Reply:* @Jay Which of the two configs was working in Safari? Or both?
*Thread Reply:* I’m guessing it lies somewhere in the bundle IDs of allowed apps and them not being included for one reason or another
*Thread Reply:* Hm, the bundle IDs are correct. I used the redirect config and that was working. The weird thing is, in the browser it works with portal.office.com and the same setup doesn’t work for our internal social media page that also goes through login.microsoft.com then forwarded to Ping ID and then should go to the requested page. Same is with apps, with Global Protect it works, same login flow as mentioned before (login.microsoft and Ping ID), but with other apps it doesn’t
Do you have MS Authenticator installed on your devices? It’s a requirement
Yes, I have. As mentioned before it is working in Safari, but that’s about it
does anyone know if you set a DEP Profile to not use User Affinity, if the user then signs into the company portal after enrolment, would that device update to a user enrolled device and show as assigned to that user in the portal etc?
*Thread Reply:* If you set to not use User Affinity and the user signs into the CP app it shows up as Corporate device and is assigned to that user in Intune and should also in Azure AD
*Thread Reply:* @Jay thanks for that. Wasnt sure what it would/wouldnt do
*Thread Reply:* updated my first comment, it shows up as “Corporate” device not “Personal”
*Thread Reply:* ah okay that might work then... Will have to give it a proper test when i can
*Thread Reply:* yeah, test it to confirm. but “Coporate” makes more sense and is also what I see. since it enrolled through DEP it can not have ownership set to “Personal”, so my fault
Is anyone using Microsoft Tunnel? Is there a way to provide users with their home drive (CIFS) like there is with MobileIron?
what do people do to automate cleaning up old stale devices on MEM for Android Enterprise Fully Managed devices? The built in clean up rules apply to everything else except Android device.
*Thread Reply:* We are taking a scripted approach, since the build clean up is pretty poor.
*Thread Reply:* would you be willing to share your script or parts of it?
*Thread Reply:* Unfortunately it is still in backlog, but once its nearing some operational state I can share some key parts. No ready date at this time though, sorry.
@John Brosius has joined the channel
Any ideas how to activate VPN in app Defender for Endpoint (Android)? Seems that we still can use MS Tunnel for iOS but on Android we need to change to MS Defender for Endpoint..
*Thread Reply:* Microsoft discontinued MS Tunnel app for Android. You need to migrate to MS Defender for Endpoint (as you mentioned). If you already configured MS Tunnel app, keep in mind to change the connection type to 'Microsoft Tunnel' instead of 'Microsoft Tunnel (standalone client)' for your Android VPN config.
https://docs.microsoft.com/en-us/mem/intune/protect/microsoft-tunnel-migrate-app
How can users enroll their mobile devices in Intune (iOS and Android) if they don‘t know their password?
*Thread Reply:* You can use alternative authentication method like TAP or other IdP
*Thread Reply:* TAP? Don’t know that one. IdP, like how? The user has the Company Portal App on the device, enters his email address, gets redirected to the IdP. If the IdP is configured for CBA, the device has no certificate at that moment because the device is not enrolled yet. How would this work? MS authenticator?
*Thread Reply:* Temporary Access Password
*Thread Reply:* If the IdP support password-less auth through mobile app or something else
*Thread Reply:* https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-temporary-access-pass
Hi all,
Question, an organization wants to have Endpoint Manager implemented to manage Windows devices and enroll these devices using Autopilot. However they are using a federated third party IDP, instead of using Azure AD to authenticate. This third party IDP says their IDP solution doesn't support Autopilot (no WS-trust support). Not being able to use Autopilot has quite some consequences.
I am wondering whether any of you ran into this before and if you were able create some kind of work around, since other options like moving to AAD for authentication has quite some impact as well.
Thank you!
*Thread Reply:* The Azure tenant is not federated ?
*Thread Reply:* During User Driven Autopilot, user should be redirected to IdP
*Thread Reply:* If you are using Self Deployment you can alternatively use Web Sign-in
*Thread Reply:* This option slipped through my mind a few days ago, but when using Self Deployment and using Web sign in you will be redirected to this third party IDP as well. So I am not sure if I fully understand your point. (thanks for replying)
*Thread Reply:* If not using self Deployment (i.e. using User Drive,) you should be able to login using IdP
*Thread Reply:* So they’ve got Azure federated to a 3rd Party IdP… which is just for auth to use Azure. Once they’ve authenticated, the client should be redirected to the SP (Azure/AutoPilot) and things should move forward. AFAIK the 3rd Party IdP should just need to auth via SAML/OIDC/etc for Azure and then be out of the mix.
*Thread Reply:* Hi Woody, thanks for replying. What you mentioned is correct. However the 3rd party IdP (SAML based) says they don't support Autopilot WStrust. So according to them the authentication part within Autopilot itself will fail.
is there a way to get a LOB app that can't be added into managed play to be used within Kiosk mode on Endpoint Manager. I can obviously just upload the APK but the managed home screen app doesnt allow non Google Play apps to be published. The customer doesnt use Google to publish their apps and instead hosts them on a server where people can manually side load them. This would usually be fine for any other MDM but obviously intune doesnt have this capability
*Thread Reply:* According to this uservoice I guess not, unfortunately. https://microsoftintune.uservoice.com/forums/291681-ideas/suggestions/35733688-allow-lob-apps-on-devices-managed-in-android-kiosk
*Thread Reply:* You could use the Managed Google Play private app for publishing, no?
*Thread Reply:* no as these apps have been built outside of Google's framework and so if i upload it and then another customer tries to do the same thing they wont be able to upload it so we dont want to take the risk and have to go through issues in the future to remove it/re-design it etc.
Is anyone getting a timeout on applying Intune app protection on fresh install of MS apps?
When changing to modern authentication during enrollment, what would you guys recommend; changing the current DEP profile to follow that step or create a brand new one and assign that as default profile?
Test with a few devices in new profile. Then modify exiting for production
Already tested, was just thinking if there are any pitfalls if I decide to change the existing one. Probably assigning the new one and having the old one as fallback could also be an option
*Thread Reply:* We changed the production one about two weeks ago. No issues raised yet - seems to be fine.
if you would run into any issues you could simply revert the change in the production profile, right?
*Thread Reply:* Yeah, did it yesterday, change the default profile, no effect. Manually assigned the new one to the devices then, no complaint so far. Looks like changing the default will only have effect on newly added devices. For the existing one I had to do it manually.
Is there a way to exit iOS Single App mode from the device? Also, if we exit Single App Mode, will the safari history be deleted?
*Thread Reply:* I’ve never seen a way of exiting single app mode on iOS device it’s locked in until the EMM defines otherwise!
*Thread Reply:* It's possible with other MDM vendors
*Thread Reply:* Really that’s interesting, what other MDM vendors do you know support this?
There’s autonomous single app mode but that is app dependent and requires the app to have an option for this.
*Thread Reply:* Sorry I confused this with Android Enterprise - also not possible on iOS.
*Thread Reply:* Ahh okay no worries thought as much :)!
I’m looking at ways to efficiently distribute a weblink on android devices (AEDO in a multi app kiosk) where the last part of the URL is unique to each device. E.g. https://thisurl/UniqueID
In SOTI I can deploy a custom attribute to each device (bulk import or via API) and use that unique attribute in a single kiosk policy so that the URL has the unique ID.
I can’t seem to find a similar method in Intune as by the looks of it you are limited to MGP web apps and there isn’t a way to dynamically change the URL.
Any ideas?
*Thread Reply:* Maybe configuring Chrome App with Managed Bookmarks or changing the start page (via app config policy) fits your needs??
However, limited to use the Intune Device ID Variable {{deviceid}} or Azure AD Device ID Variable {{AzureADDeviceId}}
*Thread Reply:* Thanks for the response, it's a couple of hundred devices so that would mean a couple of hundred links which just isn't feasible! We also want a direct link from the kiosk rather than having to access the browser and then a bookmark.
Hi everyone! I have a mobileconfig file I need to push to a subset of my devices, which is responsible to redirecting carrier data to a custom APN. We are working on distributing this configuration to the entire environment, however we need to do it in small batches as we also need to add the static IP/APN configuration with the cellular carrier on the line at the same time. Long story short, is there any way we can add some sort of device attribute that would define the group that gets this custom profile? Currently we have to get the list of devices, find their Azure Device ID, then add those IDs to the assigned security group. Generally with other MDMs we can create a device group, and define it with a custom attribute. Looks like assigned security groups in Endpoint manager will only take device name (starts with) and Azure Device ID. Thanks!
*Thread Reply:* allo? Okay with a nope, just curious really
Anyone else seeing issues of app config deployments on iOS 15 devices? In my case seeing it is failing on Outlook app config. Only similarity so far is iOS 15.
@Tim the entire XML/PLIST failing to generate/send/apply?
@Woody , seems so. The managed app configuration isn’t applied on the app itself (configs not enforced) and the MEM console shows the managed app configuration as ‘error/failed’?
Hmm. Have to wonder how much zero-day support MSFT plans to incorporate into Intune/MEM now that they’re the big dog 😆
Hah. They'll do 0 on that day
*Thread Reply:* Money talks and o365 bundling has been ultra effective
*Thread Reply:* Wouldnt surprise me, Gartner has them way above
*Thread Reply:* Woooow, I remember when this looked way different. That’s crazy, considering that that was not too long ago.
*Thread Reply:* cant find the latest forrester wave, but it paints a similar picture
*Thread Reply:* what neither chart fails to capture is how much I hate intune 😉
*Thread Reply:* haha, I got into MDM using VMware and I wasn’t really a fan of it, until I changed the employer had to learn Intune and figured VMware was actually way better than I thought
*Thread Reply:* When forced into using AAD CA with O365, why not "just" manage everything? That doesn't make them high on "ability to execute". 🙂
Perhaps a silly question - An imported Google Play app, does it -need- to support managed configurations in order to send one down alongside it? I’ve imported, but am not seeing it in the list to create/deploy a managed config for it.
*Thread Reply:* Okay, I may have answered my own question. It appears that you’ve got to add a custom entry if the app package doesn’t inherently provide its own key/value pairs
*Thread Reply:* Does MSFT offer use of variables/tags to auto-populate values?
*Thread Reply:* {{userprincipalname}} {{EmailAddress}} {{onPremisesSamAccountName}} (if synced property from local AD to AAD)
most variables we have found here: https://docs.microsoft.com/en-us/mem/intune/protect/certificates-profile-scep|Use SCEP certificate profiles with Microsoft Intune | Microsoft Docs
*Thread Reply:* and yes, an app has to support “ManagedAppConfiguration”
the app has to read the values received from MDM channel and handle it accordingly. Google provides an API for MDM to read those values from the apk, for iOS you have to contact the app vendor
anyone else notice that Microsoft subtly added the ability to locate devices on Android but only for dedicated devices and not fully managed!
*Thread Reply:* ah yes you are right i completely missed that line. Didnt scroll down enough. The rename option is going to be a godsend feature!
With Apple saying they want to give people the possiblity to decide if they want to stay on iOS 14.8.x or move on to iOS 15.x, does somebody have already started testing a way to segregate those devices in Intune and maintain that in a proper way? Maybe using filters or something like that?
Anyone configured native email for iOS with certificate so that end user doesn’t need to enter password? Account is located in O365 and server address is outlook.office365.com
*Thread Reply:* Hi Peter, PKI integration is configured and I get user cert to my device but still prompts for password. Any ideas what could be wrong?
*Thread Reply:* Did you configure your root and intermediate CA in AAD?
*Thread Reply:* What I meat was what is described in the below article https://docs.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-get-started
*Thread Reply:* is the CRL available from the outside? via http with no login?
*Thread Reply:* I just tested and the URL for CRL and is reachable from outside.
any ideas why intune would be showing an incorrect IMEI in the portal for some devices and not all. For example have 2 devices on Android 11. 1 device has the exact same IMEI and Serial number as in Samung Knox KME Portal, the other device has a random IMEI but the same Serial number. I thought it might have been due to privacy changes in Android 11 but we have a multitude of devices running Android 11 with different results!
*Thread Reply:* just an update, intune has decided to start pulling through IMEI 2 (if a dual SIM phone) by default now it would seem...
n00b question - When you’re pushing the Comp Portal to DEP devices, is there a config that needs to be pushed to keep it from wanting the user to sign-in, install the MDM profile, etc?
Once sign-in is complete, it does retrieve the record for the existing DEP device that’s enrolled, but it still wants to enroll again.
*Thread Reply:* How was the CP pushed to the device? Via DEP profile or via Required Apps?
*Thread Reply:* I'm not entirely sure, but I mean you have to pass the XML along if you don't use Setup Assistant with Modern Auth.
<dict> <key>IntuneCompanyPortalEnrollmentAfterUDA</key> <dict> <key>IntuneDeviceId</key> <string>{{deviceid}}</string> <key>UserId</key> <string>{{userid}}</string> </dict> </dict>
*Thread Reply:* @Nico Hermeling gotcha! Greenfield enviro. Okay, so for User Enrollment let them download/install Company Portal and enroll the device. For DEP, add CP into the DEP Profile (specifying VPP as the source for the license)
*Thread Reply:* And if not using modern auth, send the App Config xml to the device.
*Thread Reply:* This makes sense. I’m used to BYOD doing web-enroll to MDM, then push of the management app. I forgot it changes with the User Enrollment workflow
*Thread Reply:* Just tested/verified Modern Auth + Company Portal. Works like a champ
*Thread Reply:* So from a Required App perspective, it really does not need to be pushed/installed.. because it is either installed via DEP or when the user installs for BYOD
Does anyone have any predefined dynamic Groups that they typically create/use? e.g Company-Owned iPads, BYOD iPads, etc. In terms of App Assignments.
@Graham Hathway has joined the channel
how would you guys go about separating devices from a compliance policy based on the OS version, when the assingment of that compliance policy is based on a user group?
*Thread Reply:* filters will do this. It's in public preview which means its fully supported by Microsoft if you needed to raise a support ticket
*Thread Reply:* by the way, I appreciate that you almost always try to help.
*Thread Reply:* its what this channel was created for 🙂
*Thread Reply:* yeah, but everything kinda died down over the last couple months🥲
I see that the documentation of filters hints that it could be used for that, but since that is still in preview I wanted to check if there is another option
Anyone know if MEM is able to create/issue AE Web Apps? Image from MI Cloud for a visual:
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/apps/apps-add-android-for-work#managed-google-play-web-links
*Thread Reply:* Its part of the Managed Play iFrame so I’d imagine any EMM that supports the iFrame should support that concept
*Thread Reply:* I concur @Matt Dermody - It’s the EMM UIs that always get ya
Does anyone know what needs to be fulfilled for a device to show up in Microsoft 365 Defender portal? I’m trying to test MS Defender web content filtering on iOS devices that is managed by other MDM tool other than MEM, but it doesn’t work. I have just signed in into MS Defender app, that’s all.
I unable to update an iPhone to latest version as I am getting this error "your software is update to the last version your company allows" though clearly device is not on latest version nor there are any minimun ios version requirement set on the MEM? Any suggestions?
*Thread Reply:* There has to be a config profile or something that blocks updating, the message is very clear.
*Thread Reply:* Check settings and see what profiles you have assigned to the device.
*Thread Reply:* There is no iOS replated config profile assigned to the device, I rechecked. nor even a day delay or limit to iOS
*Thread Reply:* Have you checked on a device or in the console ?
*Thread Reply:* On both, Can't even un-enroll it as this is a DEP device and the device has data that can not wipe. Tomorrow I'll give it a try by connecting to iTunes if it does not work then will exclude the user from all config profiles on MEM and check.
Can anyone remind me - Is there a way to enroll the web-based method with MEM?
Thanks @Peter Mohr - I love that they have a SSP, but it just forwards the BYOD device to App Store --> Comp Portal.
Anyone having issues pushing W10 Feature updates via Windows Update for Business?
Has anyone found a way for MEM Filters (Beta) to give you a preview of devices that meet the criteria? https://www.youtube.com/watch?v=AIt6OSmgcuM
*Thread Reply:* I’m using this since yesterday on a compliance policy we have. But unfortunately I haven’t found any way to see which devices would fall under that criteria, which is really annoying.
*Thread Reply:* I tested it with a dynamic group first, to see who this would target. That’s just a workaround tho, they should include an option that shows what devices would be affected, before you make it go live.
*Thread Reply:* @Jay agree wholly. I just @’d them on Twitter to hear their thoughts
*Thread Reply:* If you’re trying to steal customers from other EMMs.. at least incorporate feature parity
*Thread Reply:* so true. there is still a lot missing in MEM. what also annoys me is that basically all the blades do not necessarily show the same information
*Thread Reply:* checking for compliance becomes a nightmare when the policy overview shows one thing, but when you grab an export using reports you get different numbers at times. that’s frustrating
*Thread Reply:* Grouping, targeting and filtering will be a Deep Dive session at Ignite. Let's see what's coming in 2 weeks 🙂
Can we remotely deploy APN settings to the devices in MEM and save the hassle of having the users configure it manually?
*Thread Reply:* only Samsung devices using the Knox Plugin... And potentially other devices like Zebra etc but not to any Android device out the box
*Thread Reply:* ok. For Work Profile devices you can’t. For Device Owner you can set the APN. KNOX Service Plugin / OEMConfig is a good way of doing this
*Thread Reply:* Thanks, this helps as I was not able to find anything related to this, only thing I can find for Intune is that it was requested as an enhancement request over 2 years ago and hasn't been implemented.
anyone know of a way of getting the actual model name/number for an iPad in intune. All it shows is that its an iPad but not what model it is or anything! For example in AirWatch you can see the full model name (iPad (9.7-inch, 5th generation) (32 GB Space Gray)) but in intune it just shows iPad.
*Thread Reply:* the closest it gets for me is this under “Device Details > Hardware”
*Thread Reply:* yeah it was the generation more than anything i was after or even a model code! There have been 4 generations of iPad Air!
*Thread Reply:* MEM is behind, as always
*Thread Reply:* Frustrating as this is pretty basic stuff
Any ideas how to export all Android Enterprise devices with hardware “Enrollment Profile” attribute?
*Thread Reply:* If you are looking for all Android devices that have a specific Enrollment Profile assigned to it, you could create a group set the assignment to dynamic device and then set the query to “enrollmentProfileName” equals “ProfileNameXYZ”. You should be able to download the group that is created by this.
*Thread Reply:* I have tried this but looked maybe for a script that pulls all Android devices + Enrollment Profile used when devices got registered
What’s in Development/on the horizon with MEM: https://docs.microsoft.com/en-us/mem/intune/fundamentals/in-development
*Thread Reply:* Especially I’m looking forward to these two: • Enable app update priority for Managed Google Play apps • Manage iOS/iPadOS Universal Links using App Protection Policies
*Thread Reply:* and a couple more 🙂 • Duplicate a settings catalog profile • Improved flow when saving logs in Android Company Portal app (will this also apply for the Intune app though?)
*Thread Reply:* @TGR What purpose does the Intune App serve at this point? Legacy app as ppl are transitioning to Comp Portal?
*Thread Reply:* On the contrary - Company portal was there first, but for all Android DO devices it’s now phased out and the Intune app is the one being added by default. Yes for Work Profile and iOS it’s still called Company Portal, but I presume the Intune app was a way for MS to clean up code and start afresh apart from offer certificates on dedicated devices without having to mess with an app depended on in production (Company Portal). The bummer has always been the lack of logging for Intune in general - this is getting slightly better, but I still don’t understand why end users can press a button with ‘Send logs to MS support’ but can’t do the same to their own admins who will be looking at the issues first. On a dedicated Android device you don’t have the option of sending an email, so how should users on devices (without user affinity) pass on logs from them…
*Thread Reply:* @TGR Ahh, I can't say I had noticed it was actually called Intune and not Comp Portal. It makes sense why they did what they did. Agree though, you've gotta keep that feature parity!
How can I allow only managed Wifi for iOS devices? I know there used to be a payload for that.
*Thread Reply:* Yes, maybe production soon
*Thread Reply:* Do you have any issues with uninstalling apps via Intune?
*Thread Reply:* I have two apps on our devices, and both are failing to uninstall
*Thread Reply:* Did no try it for now. We are only deploying 2 store apps and using kiosk
*Thread Reply:* Not at the moment sorry, I am off this week
*Thread Reply:* @Florent N. can you check if you can uninstall apps from your lense?
Anyone using the Android Connected Apps feature to connect Outlook on WP-COD devices in MEM? I have enabled the App Config policy but it does not seem to work. I do not get prompted to enable anything on the device either, and can’t find any such feature in settings etc.
@Anton I What does the Connected Apps feature do? Admittedly have not gone down that path yet
*Thread Reply:* Like Mark mentioned, but imagine a user having a personal calendar in the personal profile, and a work calendar int he work profile. Since life is still life, they would want to see this side by side, but can’t, due to the design of Android Enterprise. With the connected Apps feature, we could enable Outlook (or similar) to be connected to the personal side, and then you could perhaps see calendar items from both sources side by side 🙂
I saw this live with the at Android Enterprise Summit @ London back in 2019 I believe but it has taken an incredibility long time to get out to the market… 😄
Never tried it though:
https://developers.google.com/android/work/connected-apps
Not sure if the actual apps support it though: For an app to provide this experience, the app needs to integrate with Google's connected apps SDK, so only limited apps support it.
*Thread Reply:* They showed the MSFT Launcher app that suported this on the latest Android MSFT Ignite video.. so I though the real usecase that people ask for, Outlook, should be supported. But maybe not 😉
*Thread Reply:* Yes this is possible outlook setting “sync calender” has to be turned on and then you have the google calendar app on personal and work profile installed and you can then connect those two instances together for a single calendar app view
*Thread Reply:* OK so set Sync calendar in Outlook @ Work profile (manually, or can this be done with AppConfig?), and then push the google calendar app to the WP as well? And they will connect?
*Thread Reply:* Sounds resonable but I think that MSFT will implement this feature Outlook > Outlook at some point as Far as I see it 🙂
*Thread Reply:* A good thing, but if this means updates will run at anytime using mobile data this could also lead to a lot of frustration.
*Thread Reply:* if that is a concern, then you would just stick with the default update mode.
*Thread Reply:* Still waiting for Google to add version control and rollbacks
Anyone managing macOS? We want to downgrade local admin account to standard user accounts. I see no options within the GUI, so the question is will this work via shell script? It can be done „sudo dseditgroup“ - the question is if sudo will work via Intune.
Anyone found where User Enrollment occasionally flags a device as Company owned?
*Thread Reply:* Okay. Two of the users (admins) were flagged as device enrollment managers. Still have some regular users that experienced it though
*Thread Reply:* I noticed somewhat the same, A regular user was flagged as device enrollment manager without anyone doing it manually. And was not able to enroll in a Supervised device nor a Fully managed Knox device.
*Thread Reply:* Interesting @YAS — I think (okay, I know) they’re still working out bugs in their code 😆
just curious, do people use Dynamic Device Groups to assign their main policies to users devices. If so, what criteria do you use to create the group
how long does it usually take for an Android LoB app to show up in the Managed Play Store and is uploading it through the console the right way or was there something with the iframe instead?
*Thread Reply:* Uploading to the console will just push an APK into intune. It won't show in MGP IIRC
*Thread Reply:* yeah, I think I tried that in the past and it failed somehow. so I’ll have to open the Managed Google Play iframe and upload it there right?
*Thread Reply:* If you want it hosted in play, yes. Once its up in there you won't be able to push it to play again via another account unless you change the package name
*Thread Reply:* hmm, difficult. since this is an app that is already out there and the version I want to upload for inhouse testing is a beta version. would uploading the beta version with the same name create issues for the public version that is already out?
*Thread Reply:* it won't allow it to be uploaded
*Thread Reply:* you'd be better leveraging app tracks for an already-public application, and configuring your policies accordingly
*Thread Reply:* All bundle ID / package names in the Play store have to be unique, even if distributing privately. As soon as the package name has been used in any way it has been consumed and you’d need a newly compiled app with a new package name
*Thread Reply:* Got it. But technically that means I also have one try to see if that name is already consumed right? 🥲
*Thread Reply:* Not yet. Do they come into play with MDM or just something the app dev includes in a site/app for the handoff between the two?
*Thread Reply:* it’s something that the admin has to do on the app side and also in Intune you have to add the URL in the app protection policy, according to the documentation
*Thread Reply:* Ah, that's cool @Jay. DLP control essentially
*Thread Reply:* I think that’s kind of the idea behind it
Hello folks,
A customer tried to upload a csv to Autopilot and an error occurred saying that the device was already aad joined (the device was aad joined but not enrolled in Intune). As we cannot see serial number for unmanaged device, does anyone know how to find the device in aad ?
*Thread Reply:* See if you can find the device in the portal.azure.com
*Thread Reply:* Also if there are leading zeroes in the SN, try removing them or adding a few, sometimes it does not pick up sn with leading zeroes correctly.
Hi. Anyone using a pac file with MS tunnel? Their 750 page guide has no mention. Thanks
We having issues with password prompts within Outlook on Android Enterprise WPoCOD. Everytime a user opens the app, the user has to authenticate. Checking the sign-in logs, there is only an entry for Microsoft Authentication Broker. No Conditional Access Policy or MFA active yet. Any ideas?
*Thread Reply:* Seems unlikely, but is there an App Protection Policy assigned, which was modified recently?
*Thread Reply:* Yes you are correct - there is an APP active. Could there be an option active that is causing this?
*Thread Reply:* Solved the issue - the work account settings (required) in the APP caused the prompts
*Thread Reply:* Sorry lost sight on this post, but the cause you mentioned was where I wanted to point you
Weird @Mikey2000. Do you have anyone in just a standard work profile that can compare? Curious if it is specific to company owned devices or just work profile in general
We are having Outlook sync issues on a few Android Enterprise Work Profile devices - mailbox will not be synchronized. We use Hybrid Modern Auth with Exchange On-Prem. Even though the account will be set up on the device, there is no Mobile Device entry on the Exchange. Intune Re-Enrollment didn't solve the issue. Any ideas how to troubleshoot this? We also have tested with fresh devices for affected users - same issue. So there must be something tied to the user objects.
*Thread Reply:* With hybrid Exchange with modern auth + mobile Outlook app you don’t sync directly with on-prem Exchange. On the first connection EXO will automatically establish ActiveSync synchronization of the user mailbox from on-prem Exchange and keep four weeks of mail history in the cloud. Mobile Outlook sync data from EXO. Based on your question I understand that it works for some users so there is not a problem with inbound connectivity from O365 to on-prem Exchange, right? Have you checked the number of ActiveSync devices for these mailboxes?
*Thread Reply:* Great explanation - didn't know that. Correct, only a couple of users. Yes, they have only one or non ActiveSync devices active - so the limit did not exceed.
*Thread Reply:* See https://docs.microsoft.com/en-us/exchange/clients/outlook-for-ios-and-android/use-hybrid-modern-auth?view=exchserver-2019#troubleshooting for more details and troubleshooting
Hi all, I have a question on the iOS Outlook app deployed from Endpoint Manager. I am aware of the serious limitations Outlook knows on iOS related to the contact export feature etc. But now there is happening something quite odd. After the iOS Outlook app gets deployed from MEM onto the device and you enable the contact export feature using the designated slider, a message pops-up that let’s say 500 contacts will be exported to the native contact app. When configuring the iOS Outlook app manually (from the AppStore) using the same corporate userID, and you enable the same contact export feature a message pops-up telling that there will be 110 contacts exported to the native contacts app? Looking to the Outlook app configs in MEM I do not see an obvious cause within these settings. Anybody an idea on this?
Thank you a lot!
Good morning. Looking at app proxy redirection. It seems you need a managed apps policy and a managed devices policy for this to work. Any experiences? Ta
what causes a phone to stop checking in ? I have seen devices enrolled properly and connected to internet stops checking in after some time.
*Thread Reply:* if it is an android device it could be that the manufacturer stops certain services after some time to save battery
If I deploy an Android Enterprise Dedicated device with Single App mode in MEM, are there any "exit-pin" or how do I at least reach the WiFi setting etc?
*Thread Reply:* The answer is: The application will always be launched, with no exit path. https://techcommunity.microsoft.com/t5/intune-customer-success/how-to-setup-microsoft-managed-home-screen-on-dedicated-devices/ba-p/1388060
In the Endpoint Manager release 2110 the option of screenlock time out was added to the enrollment profile settings for Shared iPad. Does anybody have an idea why it was added to the enrollment profile, since this is less dynamic than configuration profiles. For example it does not apply on already enrolled devices. Has it something to do with system/user context? Any ideas?
Any real difference in the MSFT Dynamic device group attribute "deviceOSType" and the values "AndroidForWork" / "AndroidEnterprise? Thanks 😄
*Thread Reply:* One is work profile and the other is device owner
*Thread Reply:* Thanks, I guess that AndroidForWork is WP then? Seems like this needs an update 😄
*Thread Reply:* Yep. Welcome to intune 🧐
We are in the mix of implementing SCEP for iOS and Android - does anyone know if Android and iOS support 4096 Key Length?
*Thread Reply:* 4096 is supported in iOS 14 and above and i believe it is supported in Android. Although the default is 2048
Is anyone else also seeing any issues with Samsung devices (Galaxy S20 FE & 21 FE) on Android 12, COPE, trying to update apps in the personal space and most of them fail with the message “Updating app XYZ failed, please try again later”? When the device is not enrolled, updating works without any issues
Intune Certificate Based Authentication for Android Dedicated Devices - since these devices will be enrolled without a user context, how can we issue user certificates for these devices, how would this work?
*Thread Reply:* If they are fully enrolling in MEM via the Company Portal app, then the account used to log in to Company Portal will be the username associated with that device and you should be able to use SCEP to push a user certificate.
Hi all,
Android COBO (fully managed), Samsung KME enrolment -
Can we force apps to install during enrolment, prior to registration?
During enrolment, I've just learnt that I can switch the PIN configuration profile to be user-based instead of device-based assignment in order to force the user to set screen lock during enrolment.
We also use Microsoft Launcher and Knox ServicePlugin on these devices, can we force the app to install at the same enrolment stage as well, prior to device registration? Currently, they install after registration (takes ages) and it's not a very great user experience (starts with one launcher, then downloads MS Launcher). Setting these to user-based assignments didn't have the same effect as the PIN profile for me.
Screenshot of where I'd like to force MS Launcher and KSP apps to download
*Thread Reply:* Hi @Nick Knight! Do you use Dynamic device security groups for assignment of apps? If you use "all devices" and then use a filter, you should have basically instant assignment and that could speed up things..
*Thread Reply:* I also saw the news, but does it also clean up the devices created in Azure AD?
*Thread Reply:* that i dont believe it does. just fron intune.
*Thread Reply:* In that case I can’t find a good reason to enable the feature as lots of devices just end up stranded in Azure AD without any means of checking where they came from. That’s just IMHO 🙂
*Thread Reply:* depends on the customer and how they look at and manage devices. We have a lot of large customers that simply have such large turnarounds they dont care about tracking the asset but just making sure the user account is wiped. But totally agree with your statement in 99% of the case
*Thread Reply:* Fair enough but what about iOS devices enrolled without a user - As far as I remember they enroll with a different intune ID than Azure AD ID and therefore aren’t deleted from Azure AD when deleted in Intune - don’t you run into those?
*Thread Reply:* i dont have any scenarios within my customers where iOS devices are not assigned to specific users. Shared iPads for example are just not up to the task and anything shared, we point customers to use a different MDM like WS1 currently depending on their requirements.
@David Baverstock has joined the channel
Hi, I’m looking for a way to give inhouse developers the possibility to submit their apps to Intune, so that the app is automatically uploaded, created and assigned to a group of their choice, so that these users can download it from Company Portal. Can somebody share ideas on how this could be done in an efficient way?
*Thread Reply:* Maybe using the Graph API but not sure if that's supported... but could be worth a look.
*Thread Reply:* If they have the licenses that are required for a broker app like I remember we had the F1, F2 initial level of licenses they do not need the company portal app. But if they have the E3, E5 level licenses then we need the company portal app as a mandatory broker app…
*Thread Reply:* Interesting, so it will come down to licensing?
*Thread Reply:* This appears to be a workflow intended for a BYOD scenario? Is there anyway to avoid this given that the devices are already enrolled and fully managed, albeit in a different EMM?
*Thread Reply:* We are already facing this… and there is no solution from MS yet other than trying with a lower license…
*Thread Reply:* Do they have conditional access policies that state the device has to be enrolled. If so, then that would take them through the intune enrolment process.
*Thread Reply:* That is probably it, I will follow back up on that concept.
*Thread Reply:* Looks like a conditional access prompt. Just wanted to add on that theory 🙂
*Thread Reply:* You can configure 3rd party EMM systems to hand over the data of an “unknown” mdm enrollment back to intune for CA: https://docs.microsoft.com/en-us/mem/intune/protect/device-compliance-partners|Device compliance partners in Microsoft Intune | Microsoft Docs
Any ideas how I can extract public cert from iOS. Thanks
*Thread Reply:* I don't have an answer, but I am curious why you need to do this?
*Thread Reply:* Need to look at some certs as CA integration is not working as expected.
Has anyone heard the issue that Android 12 devices cannot be enrolled when corporate identifiers are active? Someone told me that Android 12 is not broadcasting the serial for enrollement so this won't work. Never heard of it before. Can someone confirm this?
*Thread Reply:* @Mikey2000 For Dedicated and WP on COD device modes the IMEI and S/N are visible for MDM admins, but for pure WP there is a new "corporate device identifier" that is shown instead, obfuscating the real identifers on BYOD devices using WP. Not heard of issues enrolling though.
*Thread Reply:* So if you have pure WP, where do we get this new identifier to import into the list?
*Thread Reply:* @Mikey2000 It's not supported on WP Android 12+ https://docs.microsoft.com/en-us/mem/intune/enrollment/corporate-identifiers-add
*Thread Reply:* Thanks 🙏 And also not supported for any other Android mode.
Does anyone know if there is a way to prohibit storing contacts on SIM cards for iOS and Android?
Which browser that supports App Protection Policies (enlightened app) can access the certificate keystore on iOS? Is that possible with Edge?
Microsoft support says we cannot reset the Android device password if the device is Fully Managed? is it?
*Thread Reply:* If it's fully managed with android enterprise as a device owner, yes you can change the passcode.
*Thread Reply:* What if it's fully managed but not the device owner?
*Thread Reply:* So you are in legacy mode? Device admin?
*Thread Reply:* Corporate-owned fully managed user device
*Thread Reply:* can you please clarify if it is Device Owner or Device Admin enrolment type
@Jonny Welander has joined the channel
If I would like to use another keyboard other than the standard one, for devices using Managed Home Screen, do you have any ideas how?
*Thread Reply:* Depending on the device - for Zebra devices you can configure a different Keyboard to use (they have the enterprise Keyboard that is configurable). Other than that I believe you will rely on the OEMConfig capabilities from the device vendor.
*Thread Reply:* Could I push the keyboard to the device and manually exit the Kiosk to enable it in system settings perhaps? This is unfortunately Samsung tablets.. thanks! @TGR
*Thread Reply:* That’s an option - definitely. I’m not sure if you might be able to define the default keyboard through Knox Service Plugin for the samsung device. Which keyboard are you looking to use?
*Thread Reply:* Not sure yet, need to verify with the organization. But thank you so far, will look in to it and of course report back here to help the #community 😄
*Thread Reply:* I can verify that with Zebra you can install a separate keyboard, configure the new keyboard behaviors, make the new keyboard the default, and disable the other existing keyboards like Gboard so users can’t toggle back to them. Knox is pretty capable so I would imagine they would offer similar capabilities .
*Thread Reply:* Could not find this setting in has a glance at KSP OEM Config but could not see it.. might need to look it to it deeper.
Is it possible to enable contacts sync for Android and iOS using Outlook without the contacts being available for messengers like WhatsApp? I also just enabled “Save Contacts” in the Outlook app on two Android devices, one CO w WP and one BYO w WP and an iPhone. The BYO w WP shows only the contact I created myself in Outlook, not all the other contacts that the company has in the address book, the other two don’t show anything. Can somebody point me into a direction here? Am I missing something that is very obvious?
*Thread Reply:* Once contacts are exported and synced to the native Contact app, they are available device wide. You won't have the GAL exported, only user's contacts. It can take some time to sync, and any restriction profile blocking corporate <> personal data exchange will lead to contacts not being exported.
*Thread Reply:* For iOS: You can use the Outlook app, configure some AppConfig restrictions to disable the export of contacts and maybe to add personal accounts etc.
In combination with the above, push just the contacts (and perhaps calendar as well) to the native app using an exchange/email-profile. And enable Oauth to get modern authentication, since basic auth is or should be blocked. The result is a "managed" config that will honor the restrictions mention by Steven.
Want an extra good end user experience? Include a certificate and use Azure AD Cert Based auth instead of Oauth "Modern auth".
However, you still need the Active Sync protocol to be enabled (but Basic Auth can be turned off).
*Thread Reply:* For Android, Work contacts should not be avaliable for personal apps. However you can enable "searching" of work contacts from the personal side, and to allow the lookup in the Work Profile when someone is calling.
iOS and Apple Business Manager - settings within the Enrollment profile - if I select „Authentication Method“ Company Portal and also choose the VPP token within the enrollment profile, I still have to assign the app and make it required within the app section, right?
*Thread Reply:* Correct, assignment has to be done under Apps and has to be marked as required in there.
Hi all wondering if somebody can share some thoughts on device filtering within conditional access. Conditional access is documented to be not supported on shared iPad. However user A needs to sign in to a shared iPad and use Outlook for corporate mail. But user A has another corporate device device as well (assigned to User A personally, so not shared). So for this second device you want to enforce at least device compliancy using conditional access. We now try to exclude shared iPads from this conditional access rule based on display name (I know it is not best practice). Based on https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/concept-condition-filters-for-devices#policy-behavior-[…]lter-for-devices this should work, but when signing into the Outlook app on the shared iPad conditional access still forces to enroll the device (which is already enrolled but not assigned to a primary user since it is shared). Any ideas?
*Thread Reply:* Hi Tim, I have no hands-on yet on device filtering in CA policies, but have you checked the What if tool and the sign-in on the shared device in AAD?
*Thread Reply:* Have you seen @Peter van der Woude blog post about this topic? https://www.petervanderwoude.nl/post/using-filters-for-devices-as-condition-in-conditional-access-policies/
*Thread Reply:* Hi Nico, thank you for replying! I read the blog of Peter, which confirmed this 'should' work. I forgot the what if tool, good one, thank you!
*Thread Reply:* Funny thing is, when I run a What if, for 100% reflected on the situation, the CA policy that enforces compliancy is listed as 'not enforced'. When I just delete the Device filtering in this What if, the CA policy that enforces compliancy, is shown as enforced. However on the device CA still does get enforced?
*Thread Reply:* Hi Tim, did you check the Sign-in logs and especially the "Conditional Access" tab in each sign-in events for one of the affected users ?
*Thread Reply:* Hi Steven, thanks for replying. I definitely checked the sign ins. There are two rows being displayed on this action. One says Interrupted and CA Not applied, the other one says Failure and on CA a Failure as well, in particular on the CA policy I created the exclude on.
Has anybody used Microsoft Defender on fully-managed Android or iOS with Corp managed ABM? I've done some testing and I'm finding that I cannot automatically onboard on Android so far. It also asks the user to login, add overlay/accessibility permissions etc. on android. I can use App Config and maybe OEMConfig to alleviate some issues but it's certainly not a 'Deploy and Automated Onboard' experience.
*Thread Reply:* if you find a solution, please do let me know! but this is all by design apparently
*Thread Reply:* the biggest issue is the accessibility permissions that users have to go through to activate the web filtering.
*Thread Reply:* i believe iOS is pretty zero touch (i hate the phrase zero touch). You just need to open the app and accept some permissions if i remember correctly. I haven't played with it in a while and when i show customers the deployment scenario's its always a no go...
*Thread Reply:* Thanks Ajay, yes it seems that Defender on Android and iOS needs more development to be honest as the onboarding experience is not very fluid.
@Christian Andrésen has joined the channel
If you use "Company portal" as the authentication method for ADE in MEM, does the device record state "Primary user: None" until the user has logged in to Company portal?
Or does MEM only show Primary user: None if the device has been enrolled "without user affinity" in the ADE profile?
Thanks!
*Thread Reply:* Not an answer, but are you aware Microsoft flagged this authentication method as deprecated starting at 10th December 2021?
*Thread Reply:* See the Message Center under ID: MC284343
*Thread Reply:* I noticed they decreased the importance of this change a little with the added note at the bottom.
*Thread Reply:* It seems to be only the "Run Company Portal in Single App Mode until authentication" that is being deprecated
Experiencing a strange issue.. cannot connect Android Enterprise (dedicated device) to our wifi. We use cert based auth via PKCS. Trusted root certs, PKCS profile and also the WiFi config have been successfully deployed to the device. We can see the device hitting the WiFi controller, but our network guy told me there is nothing happening on the Cisco ISE (Radius). I hardly doubt that this is a Intune issue. Any experiences?
*Thread Reply:* Any reliance on Mac Adress or similar?
*Thread Reply:* On the WLC or ISE? Only for Windows devices AFAIK. Could be a little more simple than that - turns out the server cert from ISE was issued by a different CA. Not the one we are deploying
Hello, can anyone help me out? Using Personal-owned devices with work profile, how do you solve the issue with contacts that are in the work profile, but would need to be accessed by apps such as Viber, Signal, that are in the personal profile? Using Intune with Samsung devices if that matters.
*Thread Reply:* did you set the restriction to allow personal apps to read contacts?
*Thread Reply:* Thank you for your reply. Under Android\Configuration profiles\ I created a Android Enterprise Device Restriction profile that is set to "No restrictions on sharing profiles". Is that what you had in mind?
*Thread Reply:* right above this you have “Search work contacts and display work contact caller-id in personal profile.”
*Thread Reply:* And “Contact sharing via Bluetooth (work profile-level)”
*Thread Reply:* Apps in the personal profile are (almost always) not allowed/able to read the contacts in de work-profile. Only option is that the contacts are also available.
Blatant self-promotion: I created an app that can help: https://play.google.com/store/apps/details?id=com.zaanweg.synccontacts
*Thread Reply:* Peter, I'm not seeing that:
*Thread Reply:* If the app has support for "connected apps", you could enable communication between the personal and work side. But this depends on the app developer. The setting is enabled within an AppConfig Policy in Intune's case. I don't think the apps you mentioned has this support.
*Thread Reply:* In your screen shot it’s 3 & 4 from the bottom 🙂
*Thread Reply:* @Anton I AFAIK it's not available, very few apps are Connected.
@Peter Mohr indeed the settings are there, Work contacts are displayed in the Personal dialer when I get a call, I can also search for Work contacts in the Personal dialer, but no other apps sees them. I did however enable Bluetooth sharing, thank you.
@Almar Diehl thank you for this, I tested it and seems to do pretty much what is required. Can't believe this is the only way.
@Kristianne Nordslaa has joined the channel
@Daniel Skaaning has joined the channel
Hi all, Anybody knows how to configure MS-Edge on a Android dedicated device that is setup in Single-Kiosk mode by Intune? If it’s even possible.
*Thread Reply:* Should not an app-config solve this? 🙂
*Thread Reply:* Application configuration: https://docs.microsoft.com/en-us/mem/intune/apps/manage-microsoft-edge
You can also use Managed Home Screen as well to pin a web link: https://docs.microsoft.com/en-us/mem/intune/apps/app-configuration-managed-home-screen-app
*Thread Reply:* Sorry Anton I didn't see your message... didn't mean to butt in
Hi, need help : Ms-Outlook App for iOS can get the full list of Appconfig to creat .Plist for allowing/restrictions of certain features?. Control through an MDM
We are currently planning to change from Mobileiron to Intune.Is there any third party application available similar to Mobileiron Docs@Work to access SMB based network folder which is hosted On premise?
*Thread Reply:* @mahiroux EBF Files might be your guy. https://ebf.com/en/mcm/ebf-files-2/
*Thread Reply:* or maybe use this as an opportunity to move everything to SharePoint/ OneDrive4Business?
*Thread Reply:* @mahiroux let me know if you need more info. I do a fair amount of work with the EBF team
*Thread Reply:* @Woody Sure.I shall discuss this with the team.Are you aware of any EBF partner in UAE?
For Android Device Ownder - if we set a Software Update policy to either automatic or maintenance window, does that apply to security patches also? I have a customer who has around 1000 Samsung devices all with different security patch levels but the same devices. Would they need to use E-FOTA to manage security patches more effectively?
*Thread Reply:* Please use E-FOTA for this. Works so well :)
*Thread Reply:* thanks both thought that was the case but was doubting myself
How do you guys handle end-user enrollment guides for iOS/Android? Which format? How do you design them? Would like to get some inspiration, looking to create something that is easy to maintain and does not require me to show every single step etc.
*Thread Reply:* I do various plays on this - https://bayton.org/docs/enterprise-mobility/android/android-enterprise-provisioning-guides/
Did somebody ever see this message under the details of the VPP token? We didn’t change anything and it was working fine so far.
*Thread Reply:* that's usually the case if someone has used the VPP token for the location in ABM on another MDM server.
*Thread Reply:* Yeah, that’s what I also found in some posts. Question for me would be, if I download the VPP token again from ABM, update the one in Intune and set it to “Take control from other MDM”, would that solve the issue?
*Thread Reply:* Yes, that would work.
*Thread Reply:* I have found this happens on intune and other EMMs when the ABM account is used in apple configure to e.g. add a device to DEP. But the fix is exactly what you did 👍:skintone2:
*Thread Reply:* Wasn’t it possible to use one VPP token for multiple MDM instances at some point or am I wrong?🤔
*Thread Reply:* Kind of, yes. Now, this is a lot easier by just using different locations for each MDM instance
*Thread Reply:* Yeah, makes sense with the location items, just wanted to confirm that my memory didn’t fail me
*Thread Reply:* I didn’t even have to download the token again, I only had to go into settings in Intune and set “Take control of token from another MDM” to Yes. This changed the state to “valid” again.
Migration question in regards to VPP licensing: We migrate from MobileIron to MEM. iOS Devices are DEP devices. The same ABM will also include MEM as a second MDM server. The plan is NOT to wipe the devices - instead we want to onboard with the Company portal app. Supervision will stay. The question is: will we also be able to push VPP apps without the need of the Apple-ID (device license). After all it is the same ABM account, only a different MDM server, right? So it should be possible. What do you guys think?
*Thread Reply:* If you onboard this way you will loose out on one of the most important features of DEP, which is preventing the removal of the mdm profile. Users will be able to remove MDM. So I would highly advise against it, factory reset is a requirement to ensure you retain full control over the device without a user being able to interfere.
To answer your question though, when you remove the device off mobile iron I would expect all the apps to uninstall and then re-install when the device enrolls into MEM using the VPP tokens assigned in MEM, so yes you will be able to push apps without an Apple ID.
As mentioned though, I would highly recommend against migrating without a reset, it's just not worth the hassle.
*Thread Reply:* Thanks for your input.
Yes I totally agree with you on that point. The decision was made because if we wipe all the devices we have to provide a backup/restore process, which let's face it, is a pain. Even though most of the data is considered as consumer features and private, our CEO is not willing to open up that pandora's box. We will use DEP during lifecycle management when we replace devices. Backup/Restore will still be a topic, but not right now during migration.
*Thread Reply:* Ah fair enough, it definitely depends on what the devices are used for but if there is personal data to be worried about backup and restore processes are just as much of a hassle as a wipe. Good luck with the migration 👍:skintone2:
*Thread Reply:* We always have this rule: If your device contains personal data (pictures, text etc) then we just enroll using Company Portal and if the devices doesn’t (shared or “corp” only) then we wipe….
*Thread Reply:* Backup and Restore has been a PITA for like forever, Apple really needs to find a solution for this.
*Thread Reply:* Would typically advise they allow iCloud backup of apps and photos as thats realistically all most want restored. Strongly advise staff against storing photos locally on corp devices (usually mentioning things like they are subject to seizure and eDiscovery focuses the minds!)
If i would like to create an iOS webclip that opens MSFT Edge, what is the "prefix" for it? "
*Thread Reply:* microsoft-edge-http:// or microsoft-edge-https://
Does anyone know the root cause of why a device settings scan would be non-compliant in MEM? This is an iOS device on OS v 15.1.
After some observation it's the default compliance - “as active” that keeps failing the device setting scan which sets the device in a non-compliant state. Does anyone know how to fix this?
Background** Our organization is freshly ABM/Azure federated, has a VPP token, and 0 compliance policies.
*Thread Reply:* If I understand you correctly, your devices turn up as non-compliant because they are seen as inactive? Unless you’ve changed the default compliance policy, I think it also states non-compliant if you don’t have any other compliance policies setup.
*Thread Reply:* I'm not sure why they come up as non-compliant. It's the “As active” component of the default policy that reads as non-compliant.
I tested your suggestion by creating a policy to see if what you stated is true. However, that didn't change the status of the device to compliant. The device settings scan consistently fails as well.
*Thread Reply:* Does the device turn incompliant immediately after enrollment? What have you configured in Devices > Compliance Policies > Compliance policy settings at Compliance status validity period (days)?
*Thread Reply:* Hi Nico, the compliance status validity period is set to the default - 30 days
*Thread Reply:* Sorry, to answer your question further: Yes, it turns immediately non compliant after enrollment
*Thread Reply:* have you got this setting set to Not Compliant
*Thread Reply:* I have toggled it on and off, both times I still got the same result of not compliant
*Thread Reply:* You need to do either: create and assign a compliance policy, or change the setting above and toggle it off. After that wait a long time, and have the device check-in a couple of times. That will solve it, but you have to be patient for the changes to take effect.
*Thread Reply:* Hmm, I tried what you recommended and left it for 24 hours. Didn't see a change..
My most concerning part of this problem is really that the device is not completing the device settings scan..
I had an instance where one of the phones became compliant BUT never completed the device settings scan
*Thread Reply:* UPDATE** Our APNS cert Apple ID was mismatched. So we revoked the cert and redistributed on Friday.
Letting it sit over the weekend, everything was able to sync properly. This resolved the issue.
Thanks to everyone that tried to help 😊
So... did MSFT ever add "Convert to Managed App" in Intune/Endpoint Manager?
*Thread Reply:* Seriously. It’s been forever @Anton I
Does iOS Intune Company Portal app support app configuration? If yes, which conf keys?
I want to enable notifications for the app but can’t find a way to do that.
*Thread Reply:* for the Company Portal app, you can utilize the "App notifcations" payload within the Device features configuration profile. Devices need to be enrolled via ADE for the profile to apply.
Can anyone who's done advanced W10/11 Management with MEM let me know which of these items are feasible? It's been a minute since I've been further down in the weeds on that platform:
• User cannot install new apps of their own • Apps & OS should auto-update themselves • Only designated apps should run on PC • Camera/mic/speakers will be used for video meetings ONLY • Should be able to join/unjoin wireless networks
*Thread Reply:* Yes that should all be possible, except the camera/mic/speakers only for meetings. At least, I would not know how to do that, but maybe you can create some kind of whitelist of apps that are allowed to use those.
• users are not local admins • Update rings • Maybe even Kiosk mode?
*Thread Reply:* Agree with Mark. I would use kiosk mode on these devices, if no reason not to
*Thread Reply:* Nice @Mark Vonk and @Nico Hermeling. Greatly appreciate the quick feedback.
Out of curiosity, has anyone ever dealt with a MEM plugin https://patchmypc.com?
*Thread Reply:* Im supposed to trial it someday
*Thread Reply:* Customer mentioned it and I have to admit that it has some pretty legit curb appeal
*Thread Reply:* It does. For sure. But I'm tired of having to use other things to make up for intune shortcomings.
*Thread Reply:* Concur. Though, I suppose I'm used to it at this point. Not just with MSFT... there are always going to be shortcomings and areas for 3rd Party vendors to make dat $
*Thread Reply:* If u use only intune, u can check scappmann they do the same but without cliënt and fully html
*Thread Reply:* @Bram Dc That’s awesome. Appreciate you chiming-in. I’ll check it out!
*Thread Reply:* @Chris Bensing — Check this thread 🙂
Anyone attempted to upload a private Android APK to Google Play (via Intune) and received “Upload an APK with a different Package Name”? My guess is the 3rd Party vendor published the private version of the app with the same package name that is in the Public store (thus a conflict).
*Thread Reply:* Not sure if this is the case, but when the app is not a public app and the developer only provides an apk to his customers, in stead of placing it in the Play Store (whether it is publicly or privately) another customer could have uploaded the apk first/already and hijacked the app package ID by doing this (even for the developer). We noticed this several times before, especially when it is a relatively small developer company.
*Thread Reply:* Yes, we dealt with this for a while with our own internal apps. The first customer that uploaded it into Intune unknowingly consumed the package name for everyone else. For some of our apps we had to convert all of our customers to a new package name since the original had been ruined in this manner. We now upload any new enterprise apps for our customers directly into Private Play before any of them get the chance. We can then grant access to those apps to specific organization IDs so that customers with Intune and other limited EMMS that only support Managed Play app distribution can still deploy them. I’d recommend asking the developer that provided you the app if they have it hosted in Private Play and if so can they grant access to your Org ID.
*Thread Reply:* To your point thought, it could also just be that the they published it under the same Bundle ID. If this is a custom version of a Public app that is being specifically built for your enterprise then it is reasonable to request that they compile it under a different name, or make it available to your Org ID via Private Play
*Thread Reply:* Great points @Tim and @Matt Dermody!
*Thread Reply:* So @Matt Dermody — as an app developer, you can upload tailored versions of the app to the Private Play and then entitle said customer/org ID to that? Similar to what they do over with Apple AppConnect/VPP?
*Thread Reply:* b/c I think Org ID + Private Play is going to make more sense in the long run
*Thread Reply:* The less uploading to stores customers have to do the better 🙂
*Thread Reply:* One last question — How do you obtain the Org ID for assignment via Private Play?
*Thread Reply:* I think i found what I need to provide to the vendor
*Thread Reply:* https://support.google.com/googleplay/work/answer/9495634?hl=en
*Thread Reply:* https://arsenb.wordpress.com/2021/03/01/app-version-management-in-android-enterprise-managed-play-closed-tracks/
*Thread Reply:* https://arsenb.wordpress.com/2020/07/01/how-to-publish-an-app-to-customers-managed-play-store-with-android-enterprise/
*Thread Reply:* Sweet @Matt Dermody — Summarized and sent over to the customer/3rd Party vendor
*Thread Reply:* Sure thing! I learned a lot of the foundational AE management concepts from @Arsen Bandurian and @Jason Bayton’s blogs.
Trying to remember… Conditional Access. Can it involve any 3rd Party IdPs? Or does it need to be entirely operated from within the AAD Premium Identity/Intune environment?
*Thread Reply:* Ca can involve 3th party but those are mostly mobile threat protection. Some 3th party can work with conditional access but then thatb3th party need to be your main idp then
*Thread Reply:* Right @Bram Dc — I had seen where they have plug-ins for those external UEM providers. The scenario I’m looking at involves a 3rd party as the primary IdP and O365/Endpoint Manager as a service that’s federated with it.
Hi all, on supervised devices we noticed the following error when pushing a VPP app to supervised devices (shared iPads): 'Device VPP licensing is only applicable for iOS 9.0+ devices. 0x87D13B69'. This error is document over here: https://docs.microsoft.com/en-us/troubleshoot/mem/intune/app-install-error-codes#ios-and-ipados-app-installation-errors . However the devices are already running on at least iPadOS 14.x? Any body an idea how to fix this?
*Thread Reply:* Hi, errormessage seems somewhat irrelevant. Can we assume that the basics are set? Correct VPP region and that the app has a device based distribution?
*Thread Reply:* Hi Peter, basics are all set, device license assigned using a device group, since shared iPad does not support user group assignmet for apps, etc.
*Thread Reply:* Hi Tim! Sorry for the late reply. Does this occur on every distributed VPP app? VPP sync works without any issues? No terms and agreements in ABM that hasn´t been approved? If so i would have opened a MS case and take it from there
*Thread Reply:* Hello Peter, sorry for MY late reply. VPP works fine, agreements are accepted and happens to all VPP apps. Microsoft support said it was by design, I submitted a design change request to Microsoft….
Android Kiosk mode. Is there a way in MEM to display the “primary user” of said device? Short of adding something manually to the device notes/details.
@Benedikt Haller has joined the channel
Should an excluded group have precedence over included groups with configurations?
Example: Group „All Company Devices“ = Assigned group with all devices as members! Group „Test Devices“= Assigned group, one test device, which is also member of „All Company devices“ Now if we deploy a configuration to „All company devices“ and exclude the Group „Test devices“, the configuration remains on the device and is still visible within the device configurations view in MEM. Any ideas why?
*Thread Reply:* Technically exclusion always has precedence over inclusion
*Thread Reply:* What order have you used? Have you first exclude the test device and than assign the config profile? or vise versa? Have you checked on the device itself? Some MEM reports and views are very slow to refresh
*Thread Reply:* No I did the exclusion way later after the config was already applied. No I have not checked the device itself yet
I am looking for a slack channel for microsoft defender for endpoint - anyone?
*Thread Reply:* @Mikey2000 would you like us to create a dedicated channel here… or are you looking for a new Slack Team that focuses specifically in Microsoft products as a whole?
*Thread Reply:* Maybe it's time for a channel, but until then you could use the #mtd channel perhaps 🙂
*Thread Reply:* I agree.. lets create a channel. Not sure if this will fit into this workspace.
When using Windows Information Protection and looking into Settings-Accounts->selecting the corporate account. There is something mentioned like 'Managed by mddprov account'. Does anybody knows what 'mddprov' means or stands for?
Anyone setup a Poly Deskphone (CCX 500) in MEM?
*Thread Reply:* I got asked to enroll some this week. Haven't done it yet. Not keen on it.
*Thread Reply:* Yeah im curious if I just need to create a compliance policy for it to enroll and then it would show up in the Teams Admin Console?
*Thread Reply:* We have setup loads of customers Android Teams devices. There are some gotcha's especially if conditional access policies are in play. Best link to follow is below https://docs.microsoft.com/en-us/microsoftteams/devices/phones-displays-deploy
*Thread Reply:* Thanks!! I will check it out...
Is there a way to monitor SIM swaps in Android or iOS devices using only MEM without a third party solution?
*Thread Reply:* @Jay - not out the box. You could get funky and use the Graph API and something like power automate to trigger notifications when the value changes for example but that incurs costs if you dont have licences and the knowhow to do it. But also, does your tenant actually show the SIM number for Android devices or are you only managing iOS devices? None of my customers tenants show any data for SIM numbers for Android devices.
*Thread Reply:* Yeah, I also thought using Graph API could help here. But just wanted to make sure that there is no out of the box solution for this. My tenant does show some phone numbers for Android and iOS. It probably depends on ownership, management mode and OS version.
*Thread Reply:* it will show phone numbers yes, but not SIM numbers so depends on what you want to achieve.
Microsoft Tunnel - Microsoft recommends using 2 NICs. Has anyone configured this like that? The Linux server should be placed in the DMZ and 1 NIC public and 1 NIC internal?
Is it possible to disable MAC randomization on Android devices in MEM?
*Thread Reply:* On Samsung devices you can use Samsung OEMConfig to disable this. Other OEMs might have similar solutions
*Thread Reply:* @Peter Mohr thx, I’ll look into this!
*Thread Reply:* thanks for the update and if this option should be available via EMM would be easy to push for all devices and get it worked ?. But still we will try the SAMSUNG, XIOAMI OEM config as mentioned above
Has anyone ran into this issue with missing binaries after installing the certificate connector (SCEP)? https://docs.microsoft.com/en-us/answers/questions/532276/ndes-intune-connector-policy-module-binaries-missi.html
Does somebody know if the Microsoft Intune documentation has an extensive part about enrolling iPadsOS/iOS kiosk devices? I think saw something a long time ago but I can’t really find anything right now, but keeping in mind that the documentation is not always perfectly sorted maybe somebody can give me a pointer.
*Thread Reply:* I only know this in regard of iOS kiosk mode, but I guess that's not what you're searching?
*Thread Reply:* I already found that one thanks. What I’m trying to figure out is how you’d register a device to Azure AD for example if the enrollment is without user affinity?
How can I exclude a device group from a certain configuration profile that is assigned to a user group? If I exclude the user the exclusion would apply to all his devices but I only want the exclusion to apply to a certain device.
*Thread Reply:* use the new filters and use the display name of the device. Then apply that filter to the config profile
*Thread Reply:* but also you can't mix device groups and user groups
*Thread Reply:* that is my issue, the profile and policy I want to excluded certain devices from are all assigned to the main user group we have
*Thread Reply:* so depends on how many devices you want to exclude from the config file
*Thread Reply:* not clear now but lets say ten for now, I’d still have the issue that my device group exclusion is ignored by my user group inclusion
*Thread Reply:* are there any constant similarities between the devices you want to exlude, for example are they tablets, are they set up with a different enrolment profile
*Thread Reply:* they are setup with a different enrollment profile and are supposed to be mainly iPads
*Thread Reply:* they are supposed to be kiosk devices, that only should have access to wifi and a specific site. so I started with an enrollment without user affinity
*Thread Reply:* so create a filter based on the enrolment profile name then apply that filter to EXCLUDE these devices from the configuration profile
*Thread Reply:* without user affinity there is no user that I can exclude though, as the assignment has been done to a user group, not a device group
*Thread Reply:* if these devices are without user affinity but your config profile is set to a user group, how are these devices picking up the profile?
*Thread Reply:* sorry, let me explain;
without user affinity is the first test that I did, realized I can only get corp wifi when I have a SCEP profile and that needs a user.
so second try I enabled user affinity in the enrollment profile and reenrolled, so devices pick up all the profiles assigned to the “all users group” and my assignment to exclude those “kiosk devices” from those assignments are ignored
*Thread Reply:* my issue now is that I have a profile that I need, Wi-Fi and that needs SCEP and this needs a user to be properly assigned
*Thread Reply:* right so best to set these devices up with a different enrolment profile (still with user affinity enabled if thats what you need). Then you can create a filter to exclude any device that enrols with that enrolment profile)
*Thread Reply:* from your main configuration profile and setup any specific profiles for these devices
*Thread Reply:* would a filter exclude the device from the assignment?
*Thread Reply:* the filters take a little while to take affect just an FYI so would leave it an hour or so after you put it in play
*Thread Reply:* thanks a lot for pointing me to filters! I used this before when it was still in preview and totally forgot about it. this helped solving my issue. thank you
If users forget to open the company portal app after ADE enrollment, or with certain iCloud backup cases, it sometimes acts like it wants to do a device enrollment (but the device is already enrolled), resulting in issues. Any ideas?
*Thread Reply:* I saw this behaviour too when user opened company portal app immediately after it installed. Waiting around 15 minutes with the app closed and also not running in the background usually helped the app recognize the existing enrollment, so the user could finalise it. If it didn’t help I’d usually retire the device and ask the user to reenroll using the company portal app.
Im interested to hear how people that use app protection policies apply their user group criteria. I have a large customer that doesn't want the hassle of adding users to a group for BYOD devices to pick up app protection policies. Do people just create a user group that adds all users into it based on something like an active account? Just for reference the policy is set to unmanaged devices only, so not worried about it hitting corporate devices.
Does someone know why Microsoft Edge (iOS) from VPP would ignore my app configuration profile even though it says “Succeeded” under App Configuration Profiles in the device details? It’s ignoring my homepage that I have configured and more settings that I had in there like brandlogo and colors but since it wasn’t working I stripped it down to the homepage only to be able to troubleshoot this better
*Thread Reply:* Have you logged on with your AAD account in Edge?
*Thread Reply:* I tried it with and without logging in, same result
*Thread Reply:* Have you added Edge to one of your App Protection Policies?
*Thread Reply:* No, but that is not needed in order to configure the app afaik
*Thread Reply:* Okay correct, @Mark Vonk is right, need to login with user for the profile to apply correctly.
*Thread Reply:* Looks like it is still not 100 % working. When I changed it the first time it would show my custom page as new tab.
*Thread Reply:* Maybe it’s easier when I explain what I’m trying to achieve. I want Edge to run in kiosk mode, with only certain URLs allowed and the device should lock it into single app mode with screen not shutting down. Getting Edge to accept my configuration is the major issue I’m trying to fix since last Thursday or so as it seems not really reliable. The device I’m using is enrolled with user affinity, it is supervised and Edge is assigned through VPP in Intune. In Edge I login with the enrollment user. The app behaves like standard Edge, ignoring the config.
*Thread Reply:* I would create an APP and assign it too. I have noticed with Edge you need both in some cases to work properly
*Thread Reply:* Assigned app configuration policy using XML, also assigned an APP and interestingly Edge shows me this when I go into Settings>General>VPN & Device Management>Profile>Apps>Edge. It does follow a few key value pairs (branding color, branding logo, edge as default browser), but also ignores some other (URL allow list).
*Thread Reply:* It’s working now, only thing I’m struggling with is to get the allow list to work. Added it in the format URL1|URL2 as mentioned here. But still I can browse other pages
Can anyone tell me how I can find a modification history for configs? Someone changed the enrollment restrictions and blocked private enrollment for Android Enterprise. I need to find out who changed this.
*Thread Reply:* It's in Audit logs (Tenant administration > Audit logs). You may need to increase the time range
O365 + Okta — What’s the best approach for Conditional Access/Device Trust? Okta can’t really enforce device trust because then they would block new devices attempting to enroll into Intune (b/c all of O365 is federated under one Okta app).
*Thread Reply:* So at the moment (for legacy Okta tenants) I’m finding that this is really the best approach (short of using defined network addresses/etc to filter auth requests). https://ajawzero.medium.com/okta-device-trust-for-ios-android-microsoft-intune-9fef9af0864
If you want to use Ubuntu for the Microsoft Tunnel Gateway, is this Ubuntu Server or Ubuntu Desktop?
*Thread Reply:* I would use Ubuntu server. Why would you use desktop instead?
*Thread Reply:* I was just thinking if Ubuntu server has no GUI, the setup would be easier for my admins which are not to familiar with Linux. They could copy the PFX with the GUI or use the browser on Ubunto to verify the device with MEM.
*Thread Reply:* Server for sure. You don't want to run server software on a desktop. The desktop has many unneeded packages installed. You want to keep it lean and secure. If support of Linux is an issue, they should really take a course / training / etc
*Thread Reply:* Is there a way to test the external connectivity? We receive a timeout on the last step of the setup script. We receive the code to register the device within the browser as global admin. That works, but the installation script on the gateway never receives that the server was registered successfully so I suspect missing firewall rules or wrong NAT to the gateway.
We have developers that need to access internal backend resources for their web and native apps test for both iOS and Android. How have you solved this? We're not sure on per-app VPN since the apps is installed from TestFlight/Android Firebase or sometimes sideloading. Can Microsoft Tunnel do full device VPN on iOS as well as on Android?
*Thread Reply:* Yes, device wide VPN is supported on iOS as well as Android devices, but you need to enable it manually in Defender app
Available Apps for Android Enterprise Work Profile - correct me if I am wrong, but is this still the case that available apps are not showing up on Work Profile devices? Currently my problem. I believe I have read something about that in the past that is is not working.
*Thread Reply:* Hey Mikey is it that they don't actually install or just don't show up with in the Work Play Store? We had this issue recently and opened a ticket up with support and they addressed it in a console update. Not sure if that was your issue or not but figured I would share it just in case.
*Thread Reply:* Hey Boe, exactly, available deployments don't show up within the Managed Google Play Store on work profile devices. On Device Owner like WPoCOD they show up.
*Thread Reply:* Sorry just getting back to this, once you take that console update it should resolve the issue. However after taking the console update you will need to go back and republish at least one of the impacted apps then all of them should show up. At least it worked that way for us.
*Thread Reply:* What do you mean with console update?
Anyone else seeing Comp Portal back-end services acting up?
or is MS Authenticator a hard requirement now to sign-in using your corporate identity
FYI If anyone is noticing any slowness with Intune today (more than the usual anyway) User Impact: Users checking their devices into Microsoft Intune may suffer from intermittent delays. More info: Additionally, devices may also experience delays receiving applications and updated policies. Current status: Our automated system alerted us to an issue in which users checking their devices into Microsoft Intune may suffer from intermittent delays. We're reviewing service telemetry to isolate the source of the issue. Scope of impact: This issue could potentially affect any of your users intermittently if they are routed through the affected infrastructure.
Does someone know if the custom notification text body in Intune is only for plain text? The documentation is not really helpful.
Anyone getting reports that cert-based WiFi on iOS devices running 15.5 causing issues? Devices running this version drops connections time to time, devices not running this version works without any issues. Devices connecting via Cisco ISE and name is configured in WiFi-profile (Certificate Server Name).
am i going mad or is there the ability to wipe personal iOS devices that are setup as BYOD on Intune? Doesnt seem to be the case for Android.
*Thread Reply:* Depends what you see as BYOD. User Enrollment enrolled devices (federated authentication/MAID required) can't be fully wiped, only Retired. However devices enrolled under traditional 'Device Enrollment' are seen as Personal in Intune as well, however you can fully wipe this category of devices anyway. https://docs.microsoft.com/en-us/mem/intune/remote-actions/devices-wipe
*Thread Reply:* @Tim - ah yes User Enrolment i completely forgot about this. Thanks
Hello, Is there an option to export contacts from Managed Outlook app to native mail app on iOS device?
*Thread Reply:* Hello, you can export as read-only contacts in the native iOS Contacts app : https://support.microsoft.com/en-us/office/how-do-i-save-my-outlook-contacts-to-my-ios-contacts-app-51b8450f-2f07-41ab-96ea-afc0de7e6529
*Thread Reply:* For some reason we don't see this option in the managed EXO account.I am very new to Intune.Is there a specific policy i need to enable in the outlook app configuration policy?
*Thread Reply:* There are two options to get the contacts to the native Contacts app.
*Thread Reply:* Option 2. is the best for UX and DLP (I completely forgot to mention it, thanks @Nico Hermeling!)
Can anyone shed some lights on how to configure Microsoft tunnel VPN with defender on BYOD with split tunnel.
In device enrollment on iOS device,can corporate and personal email accounts coexist in Outlook app with all DLP controls such as copy/paste restriction across the accounts?
*Thread Reply:* Check Intune App Protection Policies that will apply to the managed account only, while allowing a personnal account to be added with DLP restrictions enabled.
Is there any way to manually force sync of discovered apps in MEM instead of waiting 7 days?
We have created app protection policies for iOS devices however test users are still able to share documents with unmanaged apps.How can this be fixed?
*Thread Reply:* Do i need to create restriction policy for iOS device to restrict users from sharing documents with unmanaged apps in MEM similar to Mobileiron restriction policy?
*Thread Reply:* I would block managed to unmanaged sharing with an MDM Policy, that way the OS level enforcements are used vs something that needs to be built into an app.
*Thread Reply:* Which policy should i use to prevent copy/paste between managed and unmanaged accounts in iOS Outlook.
*Thread Reply:* I don’t use outlook much so I am not sure. In the native mail app managed account can be flagged to not allow copy and paste (It follows the managed app rules)
Since Android 12 and above will not show the serial anymore, how do you guys handle the corporate identifier feature to block the private Android devices? If we enable this, Android 12 can not be enrolled, right? Will it work with Google Zero Touch or Knox Mobile Enrollment?
Does anyone know if Intune has a feature like WS1's Event Notification API? https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/System_Settings_On_Prem/GUID-AWT-SYSTEM-ADVANCED-API-NOTIF.html
How are you guys handling migration to Intune while the other MDM has still active VPP deployments? After downloading the VPP token we see the message „assigned to external mdm“ within Intune. The only issue we have found out is that we are not able to choose the VPP token within the DEP profile if the external mdm still uses the token. Is there a solution for this? Create a new location within ABM to receive a different token?
*Thread Reply:* I would create a new location and over time move apps from current to new location and you move users to new MDM.
*Thread Reply:* Yep. Use a new location. And you'll get a new token.
*Thread Reply:* And there is no impact with the old token this way?
*Thread Reply:* No impact to the old token. I've done this multiple times like the others described, works fine every time
*Thread Reply:* That was a design change a few years ago, when locations were introduced it was done in part to allow for the ability to have multiple VPP tokens in a single AxM instance.
*Thread Reply:* You can even transfer licenses from one location to another in ABM. It's pretty good stuff.
With Outlook for iOS device,i do not see the ‘open in’ option for attachments.How do i enable this in intune?
Is it possible to push plist file for adobe on iOS device to manage the app similar to Mobileiron?
*Thread Reply:* yes you can use App configuration profiles on managed devices to target specific settings. Here are Adobe's settings for Intune https://www.adobe.com/devnet-docs/acrobatetk/tools/Mobile/intune.html#admin-deployment
*Thread Reply:* I have created an app config policy and targeted to adobe acrobat reader.However It is not getting applied.
*Thread Reply:* Intune Deployments — Acrobat Desktop Mobile App Deployment (adobe.com)
i’m not quite sure whether it is required to guide any users to hit the enroll button as described on adobes site to apply the configurations. Its not clear whether this is only the mechanism for MAM opt-in / opt-out or whether it does even involve the MDM approach. Maybe you can give this a try to go through the steps from the side on a test device to see whether your policies are applied after hit “enroll” in Adobe app ?
Anyone done shared iPad mode? Does it work well and do you really need federation or just a managed Apple ID?
@Jamsy it’s not bad. Yes, it requires MAIDs (Managed Apple IDs) + Federation. Initially that was just with Azure, but now that they federate with Google it might allow that as well. Haven’t played with it in a minute.
If we enroll iOS devices via DEP, the company portal app signs in the user correctly, but it shows „device is not registered“ even though the device is visible and compliant within Intune. What am I missing? Is this normal behavior? I doubt it.
*Thread Reply:* @Mikey2000 IIRC Company Portal is only to be used for User Enrollments on iOS. If you install it post MDM enrollment (e.g after DEP) it doesn't have a way to align itself with the existing device inside Intune.
*Thread Reply:* Are you using Setup Assistant or Company Portal during DEP process? Is the company portal installed during DEP (configured in DEP profile)?
*Thread Reply:* @Woody so you are saying this is by design? but we have a lot of app recommendations that we publish within the Company Portal app. Can the user still download these apps via Company portal app?
*Thread Reply:* @Nico Hermeling currently we us the setup assistant with modern auth.
*Thread Reply:* I believe I found the issue - test user had to many AAD devices registered and exceeded the limit. Now the company portal shows registered.
*Thread Reply:* @Mikey2000 Nice! Good find. Perhaps I was remembering from the early days. I agree, I’m one to always want to want the management app installed. I also forget that Comp Portal is the sole point for the MDM App Store vs webclips like in the past.
Anyone know if it's possible to somehow display the company name of a (Work) contact that is calling, when using Personal device with Work profile on Android (Samsung) devices? We're managing the devices through Intune.
We have an interesting problem: our users don't know any passwords. So we enroll users in Intune with TAP (Temporary Access Pass), which works so far. The only problem is: when a user is not actively using the device for weeks for whatever reason, the company portal app is asking for credentials, which the user doesn't have. Do we have to use a TAP again for this regular authentication?
*Thread Reply:* If you have Azure login with certificates then your users could login again without knowning their passwords 🙂
iOS restriction - passcode age - Microsoft told us that this field cannot be blank - either minimum or maximum (1 -65xxx) must be entered, otherwise the default shown in the field (41) is active. Can anyone confirm this? I highly doubt that.
I’m quite sure it can be blank in Intune. I KNOW it can elsewhere…
*Thread Reply:* I agree.. this is weird. Microsofts answer:
„To start with, whether you configure this using the Compliance policy or the Device restriction profile the values for "Prevent reuse of previous passwords" and "Password expiry" cannot be set to a blank value. You must set either a minimum or a maximum, respectively.
Minimum and maximum for password expiration are: 1 to 65535. Number of previous passwords to prevent reuse can be between 1 and 24.
If you do not modify these fields, indeed the password expiration field is 41, and the prevent reuse field 5. „
*Thread Reply:* I believe this is BS.
*Thread Reply:* Yep, thats BS. I've left those fields blank in many environments without any issues.
*Thread Reply:* Definitely BS, we also have it blank and never had an issue with that.
*Thread Reply:* Can confirm as well this is BS
The field “Activation lock bypass code” under Devices > Example iPhone > Hardware has the code stored for supervised devices until they factory reset, enroll again and generate a new one that is added there. I read somewhere (can’t find the article anymore) that the code is only valid for 15 days after creation. Why would it be stored in Intune then, if it only has a lifespan of around 2 weeks? Can someone say something about that? I couldn’t find something from Apple that would have details about that.
*Thread Reply:* it’s only available for MDM/Intune to grab FROM the device for 2 weeks…. After that MDM can’t grab the code from the device and can’t present it to admins…
*Thread Reply:* Okay, but that would be enough since we only need access once to grab that and to store it in case it is needed. As long as the code is still valid after those 2 weeks, that’s fine with me
Hoping to get some outside perspective on an issue I'm dealing with. We have a client who has rolled out Windows 11, which has a lot of unwanted apps pre-installed. The client wants to use Microsoft Endpoint Manager to remove these unwanted apps. One of their more important requirements is to be able to wipe/Fresh Start a Windows device for the user while they are out in the field and get them back up and running from a software issue with little IT involvement. The only method for removing these unwanted apps is to use a PowerShell CMDLET called Get-Appxpackage | remove-appxpackage. I have tested a script that runs consistently when I run locally on the target device. When I attempt to use MEM to deploy this script it will behave as if it ran successfully - produce logs, register in Event Viewer, report back to MEM success - but the script did not actually execute and remove anything. I have used both the built in MEM PowerShell script capability and packaged the script as a Win32 intunewin app. In either case, the script will run successful when executing under the user context, but fails when executing under the system context. I need to be able to get this script to run successful under the system context because the user context requires the user to be a local admin, and the clients security policies do not allow this. My question to the group is this: has anyone had any success in getting this particular type of script to run successfully under the system context? Apologies for the wall of text.
*Thread Reply:* Hi Chris, We use the following for Windows 10 a lot: Remove built-in apps for Windows 10 version 20H2 - MSEndpointMgr It basically deletes all bloatware except the whitelisted apps. This is easier, as you won’t have to manually investigate which bloatware Microsoft adds in feature updates. We also run it in System context as most of the time the users are not local admins. This script works fine with that. I haven’t tested it with Windows 11 and you might need to add some apps to the whitelist yourself, but maybe this will work for you.
*Thread Reply:* Also check-out: Remove Built-in Windows 11 apps leveraging a Cloud-Sourced reference file - MSEndpointMgr
*Thread Reply:* Much appreciated Mark. I will give these two articles a look over and report back with my results.
Has anyone had this issue? Installation of the Microsoft Tunnel Gateway Server:
------------ Admin Task ------------ You will need to authenticate to Intune as an administrator to enroll the server. Failed enrolling the connector: Resource temporarily unavailable Retry enrollment (yes/no):
Sounds like a service outage to me.
*Thread Reply:* Could this be an issue that we enforce MFA for all device registrations (Global Setting in Devices / Settings)
I'm running into an issue, I'm hoping others have seen before, because Googling has returned nothing helpful. I have multiple Windows 11 devices enrolled in Intune and joined to Azure Active Directory. Same Windows 11 image I've been using for weeks. Same AAD user to enroll and join that I have been using for weeks. All successfully, up to this point. Over the last week, Intune has been failing to deploy apps. After numerous days spent diving into logs, Event Viewer, combing the web, etc. I have hit a dead end. Intune will successfully deploy device profiles and Microsoft 365 apps. It will fail every time deploying Win32Apps. No Line of Business apps are in use. The IME log continually shows the following: <![LOG[Didn't find cert in both store, retry 27]LOG]!><time="15:52:24.9941603" date="7-18-2022" component="IntuneManagementExtension" context="" type="2" thread="18" file=""> <![LOG[Find 0 MDM certificates.]LOG]!><time="15:52:24.9941603" date="7-18-2022" component="IntuneManagementExtension" context="" type="1" thread="18" file=""> <![LOG[Device join type = DSREGDEVICEJOIN]LOG]!><time="15:52:24.9941603" date="7-18-2022" component="IntuneManagementExtension" context="" type="1" thread="18" file="">
I've tried reinstalling the OS, wiping and re-adding the device to Intune, different OS images (Azure VM versus local VM and local physical device). All results are the same.
Support for locating devices in Endpoint Manager
Hi all,
As per https://docs.microsoft.com/en-us/mem/intune/remote-actions/device-locate;
Does anyone have any news if MEM plan to support AE devices for this feature? Or, has anyone implemented a decent third-party alternative? Unfortunately, anyone who has migrated from WS1 or similar finds they cannot locate Androids anymore..
" Unsupported - Device location capabilities aren't supported for the following platforms: • Android device administrator • Android Enterprise: ◦ Corporate-owned work profile ◦ Personally-owned work profile ◦ Fully managed • macOS • Windows Holographic for Business • Windows Phone "
*Thread Reply:* Not heard anything myself, one of the reasons we suggest going down the dedicated devices route instead of fully managed. You don't loose much capability wise and gain the ability to locate devices.
Would be great to know if anyone has.
*Thread Reply:* Thanks, I'll add my name to the feedback post
*Thread Reply:* if you are using a 3rd party MTD or VPN tool that can be an option but not ideal. I think Samsung might have a Lost Mode option coming soon similar to iOS but not sure ETA or if/when MEM would support it
*Thread Reply:* It would be good if that came through in OEMConfig to other EMM's. I might take a look at that and see if I can get any info
I don't have an immediate need for it, but I think it would be good to know it's coming in the pipeline
*Thread Reply:* Can anyone recommend a paid third-party app or service that is compatible with Endpoint Manager, and that might be targeted a bit more to enterprise customers?
anyone know of a workaround to allow Google accounts in work profile devices?
This MS page says “On personally owned devices with a work profile (BYOD) and corporate owned devices with work profile (COPE), Google accounts can’t be added to the Settings app > Accounts > Work.” But I wonder if you could deploy custom XML to configure a Google account as a workaround.
https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-for-work
*Thread Reply:* Sure you could do it via custom XML. I'd generate an unencrypted profile from WS1 and then use it for reference. If you have access to do so.
*Thread Reply:* hey @Sharkey, thanks I’ll give that a try. also need to see if there’s a way to enter lookup values so i could dynamically enter the employees email address…
*Thread Reply:* Hi @brob did you make any progress on this one?
*Thread Reply:* i have the xml from the ws1 profiles but have yet to find the time to test it. in the ws1 profile it lists “com.airwatch.android.androidwork.restrictions” as the type in the characteristic tag. the bundle id for the hub app is “com.airwatch.androidagent” which doesnt match up so i’m not sure what to put for that for the company portal app. i guess i could try “com.microsoft.windowsintune.companyportal” which is the bundle id for the company portal but not sure that will work
*Thread Reply:* i havent done custom xml profiles in intune since we still use ws1 so i dont really understand what xml it needs and what OMA-URI is
*Thread Reply:* i dont think its possible. without installing any profiles google apps and accounts are blocked. when i try to launch a google app it get blocked and the option to add a google account is disabled
How do you guys automate app deployment for inhouse apps? Mainly iOS apps, without making use of custom apps in ABM. The apps are only meant for inhouse use and therefor audits and checks from Apple are not what we want. Currently uploading .ipa files to Intune and making it available or installing it as required through Company Portal app. I’m currently working on a script that automatically uploads apps to Intune and makes them ready for assignment, what I’m struggling with though is how do I get the information from the developers to trigger the script? Webhooks (triggered from a form in Microsoft Forms connected to an automation in Power Automate/Flow) don’t work with Powershell 7.1, when using Powershell 5.1 the script is not fully running through. That lead me to the idea to ask how you guys handle these things. Open for ideas and feedback on my approach so far.
can anyone share their experience if they are excluding MFA during enrolment on iOS and Android and how they are achieving it with conditional access policies. There is no definitive guide from Microsoft for this scenario (that i can find anyway) so would be good to understand if other people are facing a similar issue and how they overcome it
*Thread Reply:* also just to add, excluding the Microsoft Intune and Intune Enrolment cloud apps makes no difference...
*Thread Reply:* Not sure about your use case but I've configured something similar recently to require MFA during MDM enrollment.
Cloud app : Microsoft Intune Enrollment Grant access : Require multifactor authentication
Using the "Microsoft Intune Enrollment" app worked flawlessly 🙂
*Thread Reply:* no were trying to do the opposite. For example, new starters are excluded from MFA when enrolling their corporate device into intune. At this point, they will not have setup the device so can't go through the enrolment process fully unless they use another device to complete MFA beforehand. Weird thing was it was working fine with a workaround we put in the CA policy but something seems to have changed Microsoft's side and new users are being prompted for MFA setup on mobile devices.
*Thread Reply:* We were also looking into this Ajay but so far haven’t found a way to accomplish this. It is annoying to have to ask new employees to use their personal device to go through first enrollment of their company device. But it seems like Microsoft wants it that way, it is even part of the documentation.
*Thread Reply:* @Jay do you have a link to show where in the documentation it may hint that? We did have it working fine with a work around we found online but doesnt seem to be the case anymore
*Thread Reply:* https://docs.microsoft.com/en-us/mem/intune/enrollment/multi-factor-authentication
*Thread Reply:* Alternatively, you can add an employees phone number into AzureAD as an MFA method to begin with, this can help their first log on etc.
*Thread Reply:* @Ajay Patel, we are excluding it for iOS/Android only more than once. 'All cloud apps' ->Exclude Intune /Intune enrollment. See the subject 'Configuration in Microsoft Endpoint Manager admin center'. https://techcommunity.microsoft.com/t5/intune-customer-success/setup-assistant-with-modern-authentication-for-ade-intune-public/ba-p/2279061
What issues are you facing?
*Thread Reply:* @Tim this is what we have done for one customer but for some others they just keep being redirected to setup MFA when going through the enrolment even when the above is done
*Thread Reply:* @Ajay Patel in that case it is likely that they still have user based/Per user status MFA turned on. Users should be marked as disabled over there. Can you check on this? Per user status MFA takes precedence over CA MFA.
*Thread Reply:* Did you check if Security Defaults are not enabled in AAD ?
*Thread Reply:* @Tim defo not user based MFA. All driven through conditional access. @Steven - these are not enabled already
How do we configure split tunnel using Microsoft tunnel and defender app.Desired result would be internet traffic going through device internet and internal traffic through tunnel.
Regarding this; https://mobilxperts.slack.com/archives/CH3A5MY5D/p1658404814212029, Can anyone recommend a paid third-party app or service that is compatible with Endpoint Manager to track Android devices, and that might be targeted a bit more to enterprise customers?
Anyone experienced issues with iOS 16 (beta of course) and newly enrolled devices based on User Enrollment (has nothing to do with the yesterday's reported issue within Intune regarding User Enrollment)? Keep getting profile installation errors, might have something to do with the declarative MDM change and lack of support in Intune?
We are pushing Managed apps with OS sharing(In order to display all managed apps in the iOS share tray) and blocked managed to unmanaged in the restriction policy(To block unmanaged apps in the sharing tray).Now One drive or Outlook users are unable to share anything from Unmanaged accounts to unmanaged apps.Is this an expected behavior?
*Thread Reply:* Yes. The restriction policy is an MDM feature on can’t switch between accounts. It just prevents sharing from managed apps to unmanaged source (and vice versa if applicable).
We have configured IP ranges to include for Microsoft Tunnel (Split Tunnel), but If we want to access external websites they still won't load. We trigger the Microsoft Tunnel VPN on iOS with Microsoft Edge. Did we miss something? EDIT: Found out that split tunnel and per-App-VPN at the same time is not supported on iOS!
Has anyone found a way to deploy the Azure VPN Client/Config via Intune/MEM to MacOS? Intune doesn’t seem to import the app from VPP and the only real documentation I can find is to set it up by hand. https://azure.microsoft.com/en-us/updates/public-preview-of-azure-vpn-client-for-macos/
*Thread Reply:* I’m supposed to do this in a couple of weeks but haven’t done anything yet. I’ll keep an eye on this thread 🙂
*Thread Reply:* @Peter Mohr I wish I could say I’m surprised with the lack of support/documentation… but sadly this is par for the course. I’ll post up anything I can find!
Is there really no way to see Apple model ID, Family name or processor architecture in Intune? Seems limiting for Endpoint Manager admins that want to filter and handle iPads that won't be running iOS 16 next month.
*Thread Reply:* They added product name as a new property field last month, not sure what specifc Apple name that is but you can see iPhone12,8 for example which should allow you to identify specific models but don't think you can report or filter on it yet.
*Thread Reply:* Agreed in the Hardware inventory page, but I can't identify X number iPad 4th Generation devices out of tens of thousands of iPads.
*Thread Reply:* Not aware of another way I'm afraid. I'm hoping they add this before we need to worry about identifying a 2020 iPhone SE from a 2022 one.
*Thread Reply:* @Nick - i raised the same concerns about a year ago with our partner MS account manager who put in a feature request but clearly hasnt gone anywhere. Its actually absurd that they don't capture the model and Gen like all other EMMs. I've even settle for the Apple product code if it meant I could still have the data I needed!
*Thread Reply:* So, we agree that we still can’t create groups or filters targeting iPhone SE 1st Gen (iPhone8,4) separately from iPhone SE 2nd Gen (iPhone12,8)???
It’s important now with iOS 16 being released….
Apple User Enrollment : Allow copy/paste to be affected by managed open-in : did anyone able to achieve this via Intune User enrollment Device restriction. As per the document this is achievable. but we can able to test only "blocking the "Block viewing corporate documents in unmanaged apps" but not the "Copy and Paste features" https://docs.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios#settings-apply-to-all-enrollment-types
*Thread Reply:* Has anyone tried with iOS 16 ? We see there are improvements with ios 16!
Maybe it’s just me, but did anybody already transition from using MAC addresses to Intune Device ID as mentioned in this post? If yes, would you mind sharing the way you did the transition without bothering users and having them do anything on their phone? https://www.itnews.com.au/news/coming-microsoft-api-change-will-break-third-party-device-authentication-582975
One of my clients has Microsoft Store blocked on a Windows 10 Pro. When I asked one of my engineers to recreate the set-up, they said it was impossible with the Pro and Enterprise versions required. Help :)
*Thread Reply:* We blocked the store via the power shell script that changes the registry.
Due to some reason,app protection policies are not getting applied on iOS edge browser whereas same policies are getting applied on other apps.This was working earlier.Edge is being tunneled,any thoughts on how to troubleshoot this?
*Thread Reply:* I would be checking to begin with: • Conditional access - ensure that the app protection CA policy is still enforced. • The policy in MEM, is Edge still listed? • Is the user excluded from the above?
This is more of an AAD-Connect related question - any knowledge here? We have 2 domains. Each domain uses an AAD-Connect server and we sync into one tenant - which is actually not supported. Now we want to build a trust between the domains, add the second domain to the AAD-Connect. But the main question is how do we remove the second AAD-Connect without removing the objects from the tenant?
*Thread Reply:* Maybe it will work as long as the user object anchor remains the same
*Thread Reply:* You mean add the second domain to the first aad connect before we remove the second aad connect?
*Thread Reply:* Yes, but try to confirm this with MS
Did somebody already connect the Zero-touch portal with his Intune tenant using this new button? I’m asking myself if this would have to be the same account that was used to setup Managed Google Play or if these can be two separate accounts? Documentation has nothing about this as far as I could see.
*Thread Reply:* I did, but we already created a zero-touch portal months ago. But you do not have any zero-touch portal earlier created yet? Besides this integration was a little bit of a disappointment if you ask me. I was expecting (and yes maybe my expectations were not right) a full embedded iframe into the zero-touch portal, but that's not the case.
*Thread Reply:* We have it already created for over a year, but back then I used my account. I have added more admin accounts now and also a general admin account, that is independent from mine, which is the one I’d want to use now to integrate zero touch. I do expect an iframe is that not the case?
Does somebody know a way to fix this issue? User was an intern a year ago, was gone and now came back and wanted to enroll again. This is a picture that shows the error message that Outlook is showing a user after trying to setup her account. In this case both accounts are exactly the same account that’s why I’m confused as to why Outlook is claiming to see duplicate accounts. First time this showed the error in the first screenshot so I asked her to unenroll the device and remove all the Microsoft apps. After reenrolling and downloading Outlook from the company portal again it would ask her to sign in and do MFA just to end on this screen again. Not really sure what is causing this. Could it have something to do with her account being deactivated and now activated again? Something that might be off in AAD so that the account is basically the same when it comes to the address but the backend is causing this issue?
*Thread Reply:* 1. Does it occur on another device or just a single device?
*Thread Reply:* You can also check Azure sign in logs for more info
*Thread Reply:* 1. It only occurs on that device, user has not secondary device to test since this is a personal device.
*Thread Reply:* The setting might be in Troubleshooting
*Thread Reply:* That’s what I also thought at first, but nope
*Thread Reply:* I'll just grab a device and verify
*Thread Reply:* I have Reset Office down the bottom
*Thread Reply:* Hooray, hopefully that helps. Let me know, as we've faced similar issues with MAM.
My instructions weren't exactly clear 🤣 I've since written a more detailed guide for servicedesk staff to deal with MAM issues, and this is included
*Thread Reply:* thanks, will test this and get back to you😅 will also check with user if she happens to have authenticator installed, which could be a factor in this issue
*Thread Reply:* we’re seeing this issue with multiple users now too. @Jay did you ever find a cause/resolution?
*Thread Reply:* no and I also opened a ticket with Microsoft last Friday and I’m still waiting to hear back from them
*Thread Reply:* ok, sounds good. we’re about to do the same
*Thread Reply:* will update this thread as soon as I got new infos. do you have the issue with one account or multiple accounts? also is this happening with new users or are these users that are rejoining or reenrolling?
*Thread Reply:* looks like its only happening to a few users who have recently rejoined the company
*Thread Reply:* It has happened 2 days ago to a user who switched to a new iPhone 14 Pro with iOS 16. The app displayed a blank / empty account line (instead of his account twice) but he couldn't delete it. On another device (iPhone SE iOS 15.x), the same account worked.
*Thread Reply:* Clearing the cached credentials through Settings > Office > Reset Office is working for us to solve similar issues for us. Can someone else confirms its working for them?
*Thread Reply:* Not 100 % sure, but this kinda sounds like the issue
*Thread Reply:* According to Microsoft this has been resolved, but need to wait for the user to come online so we can check
*Thread Reply:* thanks @Jay where did you find that service message? i’m not seeing anything in the intune console
*Thread Reply:* ah nm, i found it in the issue history
*Thread Reply:* one of our impacted users tried again and is still having the issue. they reinstalled the app in question (Teams) as well. i’m confused by the service message. it sounds like they published an app update but im not seeing an update to the apps. maybe the update is rolling out
*Thread Reply:* @Nick Knight the trick with Office helped in another scenario where Outlook would load (“Downloading your inbox”) like forever after the user authenticated, thanks for this. trying the trick now also with the user with duplicate account, will see if she finally replies (and follows the instructions I’ve been throwing at her)
*Thread Reply:* btw would’ve been nice if Microsoft would’ve added that functionality to delete credentials earlier, probably in Outlook or any other Microsoft app
*Thread Reply:* hey @Jay are your users still seeing the issue? Our users are and MS support isnt helping much
*Thread Reply:* I’m pretty sure my user is also still seeing this issue, but MS and I closed the case as user was not very cooperative and stopped responding to the troubleshooting instructions.
*Thread Reply:* Seems about right. The issue is intermittent now so still going back/forth with MS support
Hi. Are CA Policies only supported for user groups or will device groups also work?
*Thread Reply:* Pretty sure it's just users, however you can add a dynamic device filter in the policy based on variables found in MEM such as ownership, manufacturer etc.
Separate topic on mam we. If you have a ca policy that requires compliance then you basically can’t have mam we right?
*Thread Reply:* Depends, if your CA policy is All Users > Android and iOS > Require Compliance, then all users will need to enrol into MEM to access resources.
If you want to have Compliant devices in MEM as well as use MAM for unenrolled devices there are several ways to accomplish it.
For instance, the above CA policy could instead be filtered with a dynamic device group in the CA policy for only "Company" devices (or whatever its called) so that enrolled devices require Compliance, and unenrolled devices are free to use MAM
*Thread Reply:* Thinking of this in more detail. CA policies are user group based which makes this more challenging…
*Thread Reply:* You can have Compliance (Enrollment) as well as MAM. Even though unmanaged devices benefit the most from MAM, managed devices can still technically use MAM as well.
If you want to separate the two, you can use the device filter to Enforce MAM, but then exclude "Company" managed devices, similar to below:
Out of curiosity, has anyone run multiple instances of DEP and VPP inside Intune? Have a customer that’s trying to consolidate a couple different instances of ABM into one Intune instance. I believe this should work, but don’t have tokens from multiple programs to test ATM. Thanks in advance for anything you can share!
*Thread Reply:* Multiple DEP instances is definitely fine without any issues. Haven't tested multiple VPP instances, yet.
*Thread Reply:* Awesome @Johannes Harbs - I honestly figured they’d just use one VPP for the licensing inside the Intune tenant. Perhaps add a second if they had licenses that had actually been purchased (non-free), etc.
*Thread Reply:* You can use multiple VPP instances, it just assigns the app with the corresponding license AFAIK
*Thread Reply:* Awesome @Nick Knight — Appreciate that!
Hey all,
iOS eSIM cellular plan provisioning is in preview in Endpoint Manager and should be available for iOS during ADE enrolment and also just as an admin action.
Does anybody know if this is planned for Android, and has anybody had any issues or learnings/limitations deploying this? How about carrier support?
*Thread Reply:* We reached out to our provider to learn about the configuration we have to enter to test this intune feature/integration. Provider (Deutsche Telekom) told us that they don’t support that in this specific way but provide a cross-platform approach through their infrastructure. Because of this we use their B2B portal to attach an eSIM to an eID of either Android (Samsung devices tested) or iOS (Apple Watch works as well!)
Hi all, a customer requested to disable the app lock feature (no idea why) for the Authenticator app which is deployed through Intune. As far as I am aware of there are no Authenticator app configurations available to achieve something like this, right? Anybody experiences?
*Thread Reply:* I checked the App Configuration options earlier for Authenticator and didn't see anything related to App Lock
*Thread Reply:* Hi Nick, the app configs for Android are quite easy to check, just reading the app schema. But how/ where did you determined if this config value is possible or not?
*Thread Reply:* I created a test profile for Android and took a look at the JSON and Configuration designer. I've attached a screenshot
In Endpoint Manager > Apps, App Configuration Policy > Add > Managed Devices > (create profile for MS Authenticator)
*Thread Reply:* So I'm assuming that App Lock cannot be configured via App Config as I can't see a Key Value Pair for it
Hi, all, I'm testing Azure AD Shared Device Mode (Dedicated, Multi-App) on Samsung Android in Endpoint Manager. I have test devices locked to Managed Home Screen and auto-log out working fine.
I am not receiving a Software Update prompt like I would expect to see on a fully-managed device where we have auto updates enabled. System Update is set to Automatic in General of the config profile. Is it possible Managed Home Screen is blocking it? I know at least one of the devices has a pending update, but it won't popup automatically to install.
Has anyone encountered this?
@Jason Bayton - time to rename this group back to Microsoft Intune.. Endpoint Manager no longer officially exists and has been renamed back to Microsoft Intune for all cloud based endpoint Management! -https://techcommunity.microsoft.com/t5/endpoint-management-blog/introducing-the-microsoft-intune-product-family/ba-p/3650769
*Thread Reply:* I can't help but wonder whats prompted this change back to the old naming conventions!
*Thread Reply:* Probably all of their customers confusing them still calling it Intune!
*Thread Reply:* I have called it endpoint manager about 3 times ever
*Thread Reply:* All the money on marketing and branding... ALL STOP, right dust off the old signs and anyone still have the logos knocking around 😂
*Thread Reply:* Branding1.1-restored2020.pdf
*Thread Reply:* What are the betting odds on a rebranding within the next 2 years?
*Thread Reply:* How else does MS Marketing retain their budgets?
Does somebody understand what this change is about? I’ve been coming to this post every few days to see in the comments if it’s just me that finds this change confusing. They want to remove the Company Portal option from the ADE enrollment profile, I get that since we shouldn’t be using that anymore to begin with. At the same time they also want to remove the “Install Company Portal with VPP” option and have us assign the Company Portal app as required app through regular app assignment including an App Protection Policy for specific settings. Not sure why they’re not just leaving the auto app installation in there to be honest. Also so far I couldn’t find enough about this Just in Time registration they keep referring to. https://techcommunity.microsoft.com/t5/intune-customer-success/upcoming-changes-to-ios-ipados-company-portal-app-deployment-for/ba-p/3627761
*Thread Reply:* So I’m not in the loop with Microsoft things as much since I’ve changed jobs but I believe the JIT basically uses an authentication token that it’s keeps to save the need for multiple logins. They are using this JIT method across a lot of Azure services. And they are now taking the approach of other UEMs whereby the management app is not needed as everything is controlled via the management certificate. I think this is a nice change personally and makes them a bit more unified.
*Thread Reply:* And moving the app to have to be deployed via “Apps” makes logical sense for newer customers as they won’t necessarily use the DEP profile and tick install via VPP when they don’t need it
*Thread Reply:* Taking away automatic install though isn't the right option for all customers. This seems short sighted. Especially if you've built dependent flows and support processes on having it in place.
*Thread Reply:* Oh agreed it’s not the best for all customers but I kind of understand this change for once in the land of Microsoft
*Thread Reply:* I've read this again and looks they are changing this to Q1 2023, are they referring to removing the Company Portal Authentication method at the same time or I heard that was next month?
*Thread Reply:* Microsoft's communication on this has been really subpar, I can't even find those messages in the admin console
*Thread Reply:* Hey all, just a heads up that Microsoft have confirmed to me in a ticket that "deprecation of the Company Portal enrolment method for ADE is not occurring until Q1 2023".
Some details can be found here however the blog post and subsequent updates are becoming messy IMHO: https://techcommunity.microsoft.com/t5/intune-customer-success/upcoming-changes-to-ios-ipados-company-portal-app-deployment-for/ba-p/3627761
MS has previously announced in MC408678 and MC284343 that Company Portal would be deprecated from ADE in November 2022.
There is another change which is occurring in that blog regarding the ability to stop automatically pushing Company Portal that has been delayed too.
*Thread Reply:* Yeah, I absolutely understood it the way you laid it out here, yet I still do find this a messy way to handle all this. They basically changed plans after they received the well deserved backlash and pushed everything to Q1 2023. Looking for the MCs in my console search would come out empty, but when searching for it manually you’d find both of those. In order to stay updated you’ll need to check back with that post every now and then, that’s what I’m basically doing ever since that post came out.
On iOS devices(BYOD),users have to enter username for each Microsoft apps and It redirects to authenticator app and signs in.Is this the expected behavior for the SSO or users needs to login once on a single app and all other MS Apps sign in?
*Thread Reply:* Typically you would only login one app and then others you might need to enter the email address but not your password or MFA. This would be normal for apps like Outlook, Teams and other office apps, but some apps might behave different (there are a number of MS I have not tried like that)
Hello, I would like to block the C: drive to prevent users from seeing it in the file explorer but with one exception from seeing their OneDrive folders. Block C: I can do it easily with a profile and a template, but I can't allow access to local OneDrive folders. Any ideas? Thank you very much.
on iOS devices,we have pushed MDM restriction configuration to block ‘Managed to Unmanaged’ however we still see Mail app in the open In/share tray.How can i disable this?
*Thread Reply:* Do you also push an activesync profile to the Mail app? If so, this profile is managed, making the mail app managed. When selecting the mail app for open in you should only be able to share data in the managed mail profile.
*Thread Reply:* We are not pushing activesync profile.We use Outlook for mail.Since we have third party apps,in addition to APP,We are also leveraging the MDM restrictions to enforce DLP.For some reasons Mail app is excluded.I am on iOS 16.0.3.
*Thread Reply:* Latest finding : Mail app is only visible if no accounts are configured.When my icloud or gmail account was configured,app was disappearing from the open in tray.
@Ricardo Simiao has joined the channel
Hi all, I configured the Microsoft Launcher in Intune, but there are no configurations available to prevent the configured apps on the launcher from being deleted. I mean deleted from the Launcher, not from the device. However after a sync the configured apps do not return on the launcher and there is no configuration to prevent deleting. Do I miss something, or does somebody know the trick?
*Thread Reply:* Hi Tim,
Are you using a Device Configuration policy or an App configuration policy? https://learn.microsoft.com/en-us/mem/intune/apps/configure-microsoft-launcher
I believe App config policies have more options available, especially if you use JSON.
If you take a look at the link, there are keys available which limit what users can change. It may potentially be what you are looking for. Need to test it though, I could be wrong
I'd also just ask, what is your use case? Fully-managed? Dedicated kiosk?
I find that the Managed Home Screen is better for kiosks and shared devices and has much more granular controls than Microsoft Launcher.
*Thread Reply:* Thank you for replying, I used this docs page during config, but there is no value for specifying the removal of icon on the launcher. I primarely used the device restriction, since not all the options are available in device restrictions. Besides launcher is only available for Fully managed , not dedicated device. However on dedicated devices you cannot enforce conditional access, so a no go.
Hi all, Anyone using Intune and manage Android devices? We are using another MDM system on some devices (the system installs a custom MDM agent) where consultants says that they can’t guarantee that policy setting they apply work accros different device manufacturers or even with same manufacturers but different Android version (10 to 11 or 11-12). Is this “normal” behavior when working with Intune also or is it only on their system? I just haven’t read any post in forums about that behavior. Thanks in advance
*Thread Reply:* At a high level yes
*Thread Reply:* There are a base line set of Google exposed management API functions exposed through Android Enterprise that should be universal to all manufacturers and EMM providers, assuming that the EMM providers have built mechanisms for leveraging those APIs
*Thread Reply:* Each new version of Android OS builds upon the last, adding on more and more management capabilities
*Thread Reply:* So just in looking at different OS versions, with all other variables controlled (EMM provider & manufacturer, and model, etc) then you should expect to see different management capabilities available
*Thread Reply:* Then there will be differences between individual manufacturers as they expose management capabilities beyond what are offered in base android enterprise
*Thread Reply:* Enterprise grade manufacturers like Zebra, Honeywell, and Samsung for instance have tons of additional configurable options beyond what is offered by base Android Enterprise
*Thread Reply:* And then you have the EMMs themselves
*Thread Reply:* There are some limited EMMs like Intune that are fully aligned with Google’s management API concept and therefore only offer the bare minimum functionality offered by Android Enterprise
*Thread Reply:* Other more capable EMMs offer custom DPCs (device agents) that allow for more granular control over more manufacturer specific settings exposed by those individual OEMs
*Thread Reply:* For example you can manage a lot more features on a Zebra Android device if you’re using SOTI or AirWatch than if you’re using Intune
*Thread Reply:* not all EMMS are created equal. Google wants you to think thats the case and is trying to drive toward uniformity with standardization around Android Enterprise and concepts like OEMConfig but in my experience I find Intune incredibly lacking for managing Android devices, especially for the Managed Device / DO use case
*Thread Reply:* @Matt Dermody thank you for such a deep dive of why you see different behavior on different manufacturers and devices, but Intune uses the native Google API set as I know, so don’t they take into consideration with device setting they apply so they know they will work on all devices?
*Thread Reply:* I don’t know how Intune enforces policies or reports on the success of their application unfortunately
*Thread Reply:* But lets say there is a configuration option that is available starting in Android 9, made available by Android Enterprise
*Thread Reply:* If you have two device under management, and one is on A8 and the other is on A10, then the configuration option that became available in A9 will very likely fail if the EMM attempts to apply it to an A8 device
*Thread Reply:* I believe it is ultimately up to the EMM to architect how they want to handle that situation
*Thread Reply:* Meaning, Intune could prevent you from applying a setting to a device that is not eligible for it
*Thread Reply:* or maybe it allows you to apply it and then provides feedback of the failture
*Thread Reply:* I’m really not sure, I haven’t seen how intune handles that situation.
*Thread Reply:* This example from another EMM (SOTI) might be helpful:
*Thread Reply:* Android Enterprise has a native kiosk mode that can be enabled by an EMM
*Thread Reply:* That kiosk mode has been enhanced over time as part of Android Enterprise so subsequent versions of Android have exposed more and more configurable options
*Thread Reply:* The EMM provider then has to expose the configurability of those management APIs through their GUI
*Thread Reply:* SOTI does so here in this example, exposing configurable settings of the native Android Enterprise lockdown
*Thread Reply:* notice however how if you hover over certain settings they will indicate that there is a minimum version of Android required (P+ / A9+)
*Thread Reply:* If I apply this exact same configuration payload on two devices, one with A8, and another with A10, then the recents button will be hidden from the A10 device, but will still show on the A8 device
*Thread Reply:* This is because that management option is not available in the A8 version of Android but it is available in A10.
*Thread Reply:* This is where you can get into examples of there being different configuration capabilities between different versions of Android, and also not being able to guarantee a particular setting will apply
*Thread Reply:* As an EMM Admin your responsibility is to research these differences and most importantly test your assumptions to understand how things work
*Thread Reply:* Documentation can get you only so far, you need to test these concepts out for yourself to understand the mechanisms as well as the nuances in behavior of the particular EMM that you’re working with
*Thread Reply:* @Matt Dermody thanks again for explaining this so deeply for me, it looks like it hasn’t anything to do with the MDM system but more regarding with Android version and the compatibility of the API set for the version.
Hey all, just in case anyone missed it, here is an Intune technical event this week, all vids available to watch: https://techcommunity.microsoft.com/t5/tech-community-live/microsoft-technical-takeoff-windows-and-microsoft-intune/ev-p/3632740
Hi All, Pushing out apps to Android fully-managed via Intune... how long should it take to show device install status? We pushed out an app over the weekend and install status still hasn't updated. Is this normal?
*Thread Reply:* I would be checking:
*Thread Reply:* Yep, there are 178 devices in the group, to which the app is assigned as "Required". Yet only 7 devices are showing an install status from the app record. If I drill down/spot check the other 171 devices, then they show a mix of the app "waiting install status" or "installed successfully".
*Thread Reply:* I know Intune is slow at updating stuff like this, but it has been three days now!
*Thread Reply:* spot check shows devices checking in OK
*Thread Reply:* There is also an app config policy associated with the app, also assigned to the 178 devices. That policy shows an install status for about 70 devices, all of which are successful.
*Thread Reply:* I have no idea why neither the app or app config show the full 178 devices that they are assigned to. Does it take a week for Intune to provide accurate device install status with Android?
*Thread Reply:* You can also check here, see if the App record has the same information as the App Install Status in the Monitor section: https://endpoint.microsoft.com/#view/Microsoft_Intune_DeviceSettings/AppsMonitorMenu/~/appInstallStatus
*Thread Reply:* I usually customise the columns as the default view does not have much information
*Thread Reply:* Still shows just 7 devices.
*Thread Reply:* We are doing an "include" required assignment to a device group and an exclude to a user group. I have just read that mixing assignments between device and user groups is not a good idea... maybe that is causing the issue?
*Thread Reply:* (side note: these are the kinds of issues that are difficult to express to customers when they want a recommendation between Intune and WS1. I always tell them that Intune is effectively free... and you get what you pay for 😆)
*Thread Reply:* Yes, as per https://learn.microsoft.com/en-us/mem/intune/apps/apps-inc-exl-assignments MS advice is not mix user and device groups
*Thread Reply:* That might be causing the reporting to be strange
*Thread Reply:* We ended up deleting the group assignment that we had used and assigning to All Devices instead, which has fixed the problem.
*Thread Reply:* Lesson learned... never repurpose an existing user group into a device group, just start from scratch.
Hi all Has anyone done an integration between XenMobile and Intune (AAD) to make AAD aware of the compliance state in XenMobile and allow/disallow access in CA? I can’t find any decent articles about it..
*Thread Reply:* @TGR still messing with XenMobile ????
*Thread Reply:* @Peter Mohr - yup 🙂 Some customers are still not moved elsewhere and in the migration process we might try to use compliance in AAD for securing data
How to configure the "Managed bookmarks" + "Make EDGE as Default Browser" in (BYOD)Work Profile using Intune Managed Configuration? If any JSON file to configure those items, please share some reference.
*Thread Reply:* https://download.nomasis.ch/produkte/MobileIron/JSON-Android-Enterprise/ here you can create json file for edge click by Chrome Bookmarks click on add and after you click on Generate JSON when you have later the json will change some url please paste the Json file under the blue buttons and click on Revert, than you can change the files
Any known issues with One plus parallel app + Intune work Profile.We have a received user complain saying that she is not able to use Whatsapp when defender VPN (Per app) is connected and in Settings app-Whatsapp is showing under work profile.
Please be advised that when Company Portal updates in December, some changes are coming regarding WP AE passcodes on Android 12 and higher, especially if you are on 4 or 6 digit: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-android-enterprise-personal#android-12-and-later
I don't know if this extends to other UEMs yet. Change is coming from Google API
*Thread Reply:* They finally added a lot of the missing links, like should we create an additional config or just add to the existing, how do devices behave if we don't do certain things and most prominently that the change would happen with the December release of Company Portal app.
*Thread Reply:* They keep changing what they actually want us to do. When this was posted a few days ago it clearly said something like "For Android Enterprise 12+ devices, it's recommended to create a new policy and configure the Password complexity setting.". We talked about this a lot the last days in my team and now when I go back to it it instead says "For Android Enterprise 12+ devices, it's recommended to configure the Password complexity setting."....
*Thread Reply:* Yep, agreed. I think they had it wrong to begin with. Makes much more sense to have it in a single profile...
*Thread Reply:* To be honest I'm not sure, I have everything prepared for two profiles now, not sure if I'm reverting back to using only one
*Thread Reply:* Well from what I can tell, I can't test it properly until the December release of Company Portal?
*Thread Reply:* Because it's not enforcing anyway
*Thread Reply:* Yeah, that's correct. I only tested the separation into two different config profiles and made sure the devices followed what the assignments including filters where saying.
*Thread Reply:* But couldn't test the actual change, since we need to wait for that release, that is correct.
*Thread Reply:* Is anyone actually happy with the changes proposed here? Who finds it beneficial to be forced to set a particular bucket or face devices being forced to set 8 digit passcodes? And, with the buckets, either 4 or 8 being the only actual min-digit options?
*Thread Reply:* Not really happy with it, as I don't see why this change was needed in the first place or why they simply don't let us continue to use the existing controls. I get that this is a change on the API from Googles side, but again I find they didn't really put in a lot of thoughts about how this would affects admins and the way things are managed. From Microsoft side the communication is very poor and spotty, but yeah nothing new here.
*Thread Reply:* Likewise, I think comms started in mid/late August, but with so much else going on before Xmas such as Basic Auth deprecation, most large Orgs are already quite busy. To have this enforced in less than 6 months, and with unclear messaging that wasn't loud enough IMHO, this wasn't released very well.
Also, enforcing a change on an app update, with no way for admins to test beforehand, isn't ideal. I can't even opt-in to test the experience is identical and fluid on older and newer Androids.
December is when most Orgs have a smaller workforce and change freezes...
*Thread Reply:* Technically, I'm not overly concerned. Just wish the release to market was more smooth.
*Thread Reply:* I take issue with this being a forced change. Google reference discussions with research groups being intimidated by password requirements being the driving force behind these buckets, two of which you can argue offer poor security (medium at 4 digits? Lol). And the other mandating 8 requiring many orgs to adapt to the new reqs ONLY on a potentially small subset of their estate (BYO).
Honestly why even bother.
*Thread Reply:* I'll repeat my question that I tried to start on another thread - I wonder if any orgs will consider doing away with the device password and instead adopting a complexity HIGH for the work profile password on BYOD.
*Thread Reply:* It won't apply, it's a device_scope policy, profile still relies on existing complexity options. This whole thing is limited to the BYOD device passcodes only
*Thread Reply:* So would orgs look to change? Why bother I suppose
*Thread Reply:* Woah, really? I think I've misunderstood that then. I've had debates lately regarding specific use cases where developers want to remove the device passcodes from iOS and Android devices. I argued you can't do that, because on iOS at least it removes encryption from the file system. But I know as of A10 and the switch to FBE that the work profile was encrypted by the work profile password if there was one, and the device password if not. Am I mistaken on that? Are you saying if there's not a policy for the device password you can't apply a work profile password?
*Thread Reply:* No no, you can request a WP passcode via policy, but not with the complexity buckets, the profile_scope still uses the existing complexity requirements
*Thread Reply:* If you want to test all of this before the upgrade of the CP app just register yourself as beta tester in the PlayStore for the CP app.
*Thread Reply:* So for everything except BYO device passcode you use the existing numeric, min length, etc, the buckets are there only four BYO device, excluding the profile passcode policy
*Thread Reply:* Yeah, thanks @Almar Diehl! Wasn't aware that this was a possibility, not even the support told me about this..
*Thread Reply:* I'm surprised this is being enforced through cp and not the AMAPI DPC?
*Thread Reply:* From what I can see, there is no 6 digit passcode for this? It's either 4 or 8 digit passcode? (Medium or High)
How are people here handling assignment of resources to Android devices? Ideally, I would like to assign out profiles and compliance policies to dynamic groups based on Android Enterprise management modes - profile-owner, COPE, COBO and COSU, but I haven't found a way to create a dynamic device group based on these attributes... am I missing something?
If that's not possible, then what are people doing? Assign to All Devices and let the resource work out which device it should apply to? Assign to user groups (which won't work for dedicated devices)?
*Thread Reply:* I've assigned to All Users for Fully Managed and Work Profile previously, and the profiles will automatically apply to the applicable device + enrolment method.
For Corporate dedicated devices, I've created dynamic device queries for each use-case: (device.enrollmentProfileName -eq "enrolmentprofilenamehere")
*Thread Reply:* If you still need to fine tune an assignment, you can use these dynamic device queries which retrieve the AE enrolment type: https://365bythijs.be/2020/04/27/android-enterprise-dynamic-groups-for-intune/#:~:text=Android%20Enterprise%20Dynamic%20Groups%20for%20Intune%201%20Work,4%20Fully%20Managed%20Devices%20with%20Work%20Profile%20|https://365bythijs.be/2020/04/27/android-enterprise-dynamic-groups-for-intune/#:~:text=Android%20Enterprise%20Dy[…]evices%20with%20Work%20Profile%20
*Thread Reply:* Thanks Nick. Looks like enrolment profile name is the way to go. Not sure how I missed that. 🙃
@Jere Kuja-Penttilä has joined the channel
We have created a Conditional Access rule to grant access to iOS devices if the device is compliant and access is via an approved client app. In this scenario access via an unknown e.g. EAS app is blocked. My client would like to have the contacts secured in the native iOS contacts app, so we pushed an Exchange profile with contacts only to the iOS devices. To allow the native app, we excluded the Apple Internet Account from our CA, but that doesn't work so far.
Does anyone successfully excluded the native iOS apps (Apple Internet Account) from a CA rule? Is this possible at all?
*Thread Reply:* https://techcommunity.microsoft.com/t5/intune-customer-success/new-contact-sync-scenario-available-with-outlook-for-ios-on/ba-p/1063632 Not 100% sure but I assume it shouldn't work at all, since I would expect Microsoft to mention it over there. However they do mention you should not use 'require approved client app' in your CA rule.
*Thread Reply:* Thanks, Tim. I'll have a look into the article. There should be a solution to block adding Exchange accounts, but allow MDM managed accounts. The contacts "sync" from Outlook is not a secure option as unmanaged apps are able to access them.
*Thread Reply:* The option in Outlook is indeed ridiculous, it is an export not even a sync. It is even likely the contacts get uploaded to a personal iCloud account and you will ended up in contacts which will duplicate themselfs endless. Besides this, when the enduser tries to use another mail application you need to approve this new app within Enterprise applications first, right?
*Thread Reply:* Yep, you're right. Callkit integration in Outlook would be the easiest way, but that's not on MSFT roadmap afaik. Good point, I was missing that (although I approved Apple Internet Account). I will give it a try - remove "approved client apps" from CA and try to connect with another EAS client.
I am having issue connecting to Microsoft tunnel VPN only on Android device.How do i enable app uninstall option in Intune portal?
*Thread Reply:* What is it that you want to uninstall? I think Android apps can be uninstalled if they’re not set to “Required” in Intune
*Thread Reply:* i would need to uninstall ‘Microsoft Defender’ and install it back as we have noticed tunnel stop working intermittently.I do have other apps which are being pushed as ‘Required’ and i am able to uninstall them
*Thread Reply:* If you set it to “Available” you should be able to uninstall it. If you really want to remove it from everywhere before reinstalling, I’d set it to “Uninstall”
FYI - we are seing problems with ios 16.2 along with defender. MS url´s being flagged as "unsafe"
Is anybody seeing “Can’t set up device Contact your IT admin for help” as error message when trying to enroll Android devices lately?
*Thread Reply:* Not for us. Setting up as COWP in multiple tenants...
*Thread Reply:* Weird, I have a user getting that issue on the Samsung Galaxy S22 5G, looking on Google I can see posts like this with the exact same device 🤔
*Thread Reply:* Microsoft confirmed that there is an ongoing issue with Gamaxy S22 models and they’re working with Samsung to fix this.
*Thread Reply:* Seeing similar issues with S22 on ws1, https://kb.vmware.com/s/article/90418
*Thread Reply:* Possible that the workaround should work for intune devices as well
*Thread Reply:* Yeah, they told me about the workaround too, will test this with one user today
*Thread Reply:* FYI, this should now be solved through an update from Google
*Thread Reply:* "User may reboot their device to receive an update Google play setting, which corrects the issue with downloading the Android Device Policy app during work profile configuration"
*Thread Reply:* User confirmed that it worked for her without workaround or anything
*Thread Reply:* Just as an FYI that this was actually a thing
Say what? "Only apps that have Assignment type set to Required can be installed on Android Enterprise corporate-owned work profile devices."
*Thread Reply:* Answer from MS:
Here's a quick update on this topic, Apps can have an available assignment on Android Enterprise corporate-owned work profile devices. I have confirmed this behavior with the feature PM and submitted a docs update.
This is probably gonna sound like a silly question but if a device is not managed and instead just leveraging MAM apps is there anyway in the console to see how many users are using said MAM apps and what types of devices they are using?
*Thread Reply:* Hi Boe, yes you can in Intune: https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-policies-monitor
*Thread Reply:* Hey @Nick Knight thanks for that at least I can see something now however I was looking more for device specific data like User X is using Google Pixel 7 running Android 13 or User Y is using iPhone 14 running iOS 16.2 sort of thing.
*Thread Reply:* Hi @Boe You can once you export the report, here
*Thread Reply:* You can also access this data live via Odata or Graph to feed into a dashboard etc.
*Thread Reply:* Are they showing up as installed on the device?
*Thread Reply:* Yes.I can see the apps if i go ‘Managed apps and device’ option inside managed play store.I would like to show these apps for users in the main screen(Similar to featured apps in iOS).
*Thread Reply:* I’m not sure I understand what you mean. But if you want the required apps to show up in the Managed Google Play Store too you have to assign them as “Required” AND “Available for enrolled devices” in Intune.
*Thread Reply:* Thank you for your reply.I have most of the apps pushed as ‘Required apps’ however i dont see these apps in the main home screen(Screen users see when they open the playstore) as you can see in the attached screenshots,Only four apps are showing up in the main screen in contrary to what i have created the organize app layouts in the intune admin portal.
*Thread Reply:* Yeah, this looks exactly like what I described. If you check the four apps that are showing in the main screen in Intune they probably have an assignment under “Required” and “Available for enrolled devices”, that’s why you see them on the device.
The other ones probably only have an assignment under “Required”, which will force an installation but not show the app in the main screen of the Managed Google Play Store.
So you might want to adjust the assignment for the missing apps and add the “Available for enrolled devices” assignment, you should then be able to see them.
*Thread Reply:* These four apps are optional apps which we are leaving it for users choice.Hence we pushed them as ‘available for enrolled device’.Can i use both ‘required’ and ‘available for enrolled device’ for same user group.When i try to add it shows group mode as ‘excluded’.
*Thread Reply:* Yep need to make those apps available too
*Thread Reply:* I had the same behaviour on different mdm and I still don't know why. Sometimes it works for some device and sometimes not.
*Thread Reply:* Unfortunately you can not use the same group for more then one assignment. We use the specific group we want for “Required” and the default Intune All users group for the “Available for enrolled devices” assignment
*Thread Reply:* I find that Intune makes it overly complicated, IMHO, because I feel like if I set something as “Required” it should also show up as “Available” in the Managed Google Play Store, but it doesn’t work like that
*Thread Reply:* Required: pushed to device, does not show in Play Store Available: shows in Play Store
You make an app both Required and Available, can't use the same group though or it excludes
*Thread Reply:* Microsoft's behaviour here has never made sense to me.
@David Arvidsson has joined the channel
so overnight Microsoft went from 3 months to 65 YEARS for the token validity on an enrollment profile for Dedicated devices!
*Thread Reply:* LoL. This is a screw-up marked as an “enhancement”
As a fun EOY activity -- Who’d like to start an Microsoft Intune (or is it Endpoint Manager again?) shortcomings thread? I’ll start:
*Thread Reply:* Limited Dynamic Device Group Criteria
*Thread Reply:* Missing iOS ‘Manage App’ on Install flag
*Thread Reply:* No File System management of Android Enterprise devices
*Thread Reply:* No direct APK installation on Android Enterprise, only supports Managed Play
*Thread Reply:* Is it fair to say there is no web-based enrollment for Apple devices? I know Apple is pushing for user-enrollment via app, but I have to admit using Comp Portal as the front-door is not always easiest in all scenarios.
*Thread Reply:* O365 bundling and cheaper pricing tricks CIOs into ripping out more capable EMMs thinking they are saving their company money
*Thread Reply:* In terms of overall platform management, I guess it is just missing ChromeOS. Or did they add that in?
*Thread Reply:* Little to no ability to create/manage based on Org Hierarchy (e.g MI Spaces/WS1 OGs)
*Thread Reply:* Decent out of the box reporting without trying to get your head round using MS Graph
*Thread Reply:* “real-time”-ness… when devices enroll they should appear instantly in the console… we you deploy profiles or apps you need instant or near-instant feed-back and status information…
*Thread Reply:* You just can't remove and reinstall a profile or an app on a device without having a master's degree in AAD groups and required/uninstall assignments 🤦♂️
*Thread Reply:* The real-time-ness that Peter Mohr mentioned is a big one we have noticed in testing. You create a profile, assign it to a device and it can take many minutes before you see the status of the profile install within the console. While this may not be a big deal for real production devices, it makes testing and engineering much slower. You can't quickly iterate through changes like you can with other MDMs. This also makes engineers frustrated and if Microsoft wants them(us) to ever advocate for this product they need to fix this.
*Thread Reply:* We generate user certificates for wifi/vpn/etc and have these generated by an external CA configuration via MDM. Our certificates contain the Employee ID field. We pass this from MDM to the CA. This field and many others are not available with Intune to pass to an external CA. Only a few fields are. WS1 has many fields available as dynamic values you can send to the CA to create the certificate. We have asked MS how to put in a feature request but haven't been told any way to do this for Intune. Anyone know the official process for requesting something simple like this feature request?
*Thread Reply:* Intune has a 15 device limit per user. Today in WS1 we have many situations where we enroll a lot of devices under shared non-personal accounts. Info Security wants to minimize the amount of non-personal shared device accounts that get created so with Intune you must create many more.
*Thread Reply:* @Mark Polette I believe it has moved here after uservoice got switched off https://feedbackportal.microsoft.com/feedback/forum/ef1d6d38-fd1b-ec11-b6e7-0022481f8472
*Thread Reply:* Lack of functionality for app feedback feature on neither iOS nor Android.
Playing around with the AAD Shared Device Mode for Android with the Microsoft managed Home Screen and trying to get the Google Managed web clips to work, but it doesn’t. Web clips is working for AE corporate owned devices with user enrollment. Have both tried with Chrome and MS Edge installed but same result. When hitting the icon it just blinks and nothing happens. Anyone have experience or any ideas what I should try? Thanks in advance
How do you guys deal with inhouse apps that developers want to deploy to inhouse test groups in a very high frequency? Is there a predefined path for this? Or did you build your own process that gives them the possibility to upload it to a defined group as often as they want?
*Thread Reply:* For Android you can use closed tracks
*Thread Reply:* I know closed tracks for Android and Custom Apps for iOS but as far as I know both ways need the app to be checked by Android or Apple right?
*Thread Reply:* I you need to deploy apps to specific people (dev, q&a,..) you can use internal track but you need to specify mail adresse of testers
*Thread Reply:* Hm, okay. I was more looking for something where developers can submit their app and then it would show up in Company Portal as available app for a specific test group or in the Managed Google Play Store, in Androids case. Something that doesn’t require too many manual steps
*Thread Reply:* If targeted user are the same each time, you can create a role for dev to allow them to manage the internal track on the play console
*Thread Reply:* Even though that will probably change a lot, it’s worth trying. Thanks!
*Thread Reply:* Have you checked, if Incapptic fits your needs?
*Thread Reply:* One way we do this is via Microsoft App Center - this gives devs control to deploy and test app versions.
*Thread Reply:* Yeah, App Center was my first shot, but since we can not fully control it like other Microsoft related stuff it was not allowed.
Hi, Share your views on Intune Company portal app runtime integrity check for Android Enterprises doesn't include the "Google security Patches Check" which leads to Allow activation even in non- compliant devices in Personally-Owned Work Profile. ! #androidenterprise #microsoftintune #android
*Thread Reply:* Wouldn't this be covered by a conditional access policy that requires compliance, and the compliance policy set in Intune with a minimum security patch level? It will then interrupt enrolment and block access to corporate resources if device does not meet security patch level.
Or am I reading this incorrectly?
*Thread Reply:* Yes, that configuration exists (attached the screenshot) but still the device progresses to create work profile+ device registration+ install the required apps + Keep on prompting the device as "Non-compliant". But why didn't the comp portal agent block this "Registration time" .? Yes our CAP takes care of the App, not allowing to configure. I was surprised about device registration. Hence asked. Thanks
*Thread Reply:* Hey @Govi
Gotcha, in order to get Company Portal to block an Enrolment, you can configure Enrolment Device Platform Restrictions.
https://learn.microsoft.com/en-us/mem/intune/enrollment/create-device-platform-restrictions
*Thread Reply:* Thanks for your suggestion Nick 🤝yes we are able to perform as you suggested above for OS issues, also we are targeting for "Devices running with Lower Security Patch updates" to be blocked which was successful with our past mdm. Now we are trying something similar with intune. I will post here the updates .
*Thread Reply:* MS told us to raise DCR for this feature of Enrollment restrictions with lower security patches
Hello, can anyone let me know how, be it manually on the device itself or through Intune, can one update an app that was deployed to a Work profile in on a Personal managed device?
Is it possible to add Apple markup tool to Outlook iOS app with intune?
iOS markup toolbar is disabled for the work account.Which option in the MAM policy is controlling this behavior on iOS?
*Thread Reply:* Actually I don’t know, but would like to know too! Have not come across this yet.
@Jeff Hernandez has joined the channel
Just a heads up, in case anyone is not aware. Number Matching is being enabled Feb 27 for MS Authenticator and the app must support a minimum version. The exact version? I can't find that yet https://learn.microsoft.com/en-us/azure/active-directory/authentication/how-to-mfa-number-match
Dear folks,Is it possible to use apple native mail instead of Outlook for Email on iOS devices?
*Thread Reply:* Yes, but I’d recommend you setup Conditional Access policies so they can only use it if they use modern auth, instead of legacy sign in methods.
*Thread Reply:* We had to enable VPN for the profile as our IT Security has blocked Active sync profile other than the connection from corporate IP’s.We also have a CASB solution proxying the connection.For some reason,Email sync still not working
Has anybody seen this with Microsoft Tunnel?
How can we configure the Microsoft Outlook app for Cert Based Authentication? There is no option for Certificate Based Authentication within the Authentication methods, only Basic and Modern. Is there no support for CBA?
*Thread Reply:* In Intune / ACP select modern auth and configure your ADFS as described in the MS learn: https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-android https://learn.microsoft.com/en-us/azure/active-directory/authentication/active-directory-certificate-based-authentication-ios
We do have couple of internal apps which use On Prem SAML SSO.We use MS Tunnel to connect these apps via edge browser on mobile devices.How do we enable SSO on these apps on iOS edge?can we make use of SSO app extension config?
*Thread Reply:* Not by default I think, at least it is not disabled when you use Outlook on iOS without any management (MDM or MAM)
*Thread Reply:* We’re using it with MDM and MAM and I’m trying to figure out how this could be enabled as people claim it worked at some time and now it doesn’t anymore. Not sure where to start though, documentation didn’t have any obvious pointer for this.
How do you guys block private enrollments for Android 12 and above? We use KME for our corporate enrollments, but we also allow BYOD. But we don’t want to end up with every user enrolling several BYOD devices. Corporate Device Identifiers are dead in the water for Android 12 and above. Conditional Access won’t help. Maybe using TAP or Device Limit?
*Thread Reply:* Do you want to limit the enrollment to a certain number of devices? Because since you allow BYOD, there is not much else you could use to limit this.
*Thread Reply:* Exactly.
If a user wants to use BYOD he is allowed to enroll 1 mobile phone. So a device limit for these users would make more sense. Limit of 2 devices for a BYOD group, so he can have 1 windows device and 1 mobile phone.
Anyone using Just in Time Registration with iOS?
@Mikey2000 JIT as in it is creating the user object as they are signing-in or something different?
*Thread Reply:* https://techcommunity.microsoft.com/t5/intune-customer-success/just-in-time-registration-and-compliance-remediation-for-ios/ba-p/3660843 This one
*Thread Reply:* I’m using it and seeing good results as devices always get enrolled successfully. Unfortunately I don’t see a consistent picture when it comes to how many times users have to enter username and password. I was hoping that we would only get prompted during the setup wizard, but often users have to retype username and also password again when they log in to an MS app after having enrolled.
*Thread Reply:* That is exactly what I am seeing. We also have to login a second time within Teams for example. I thought the SSO config would take care of it that the credentials have to be entered only within the setup assistant and not a second time.
*Thread Reply:* That’s also what I expected - It’s weird that it’s not consistent though - sometimes users don’t need a second login (same tenant, same iOS version, same licenses).
*Thread Reply:* This is pretty slick @Mikey2000 — Admittedly, I saw some of those options in the DEP profile but didn’t notice they were tied to this new JIT process. I dig using ADE to get it rolling, then letting the user context be set later.
Is somebody else lately seeing this behavior where devices, mainly iOS, would enroll through Company Portal and also successfully do the registration for Azure AD, but under the users account that device does not show up as registered?
When checking for the name in Azure AD under Devices, you’d find the device with no owner or user principal name, also compliance and registration set to N/A, basically floating around and not being useable. Also when checking for the device in Intune, Intune Device ID and Azure AD Device ID would be the same even though that’s not how it works. The device that is floating around would have the right Intune Device ID and a different Object ID (the actually Azure AD Device ID we need) assigned.
Hello Folks, I have been asked to enable Apple native mail(Via EAS profile) for few VIP users. We have allowed user to add personal accounts in Outlook or OneDrive(We have MAM policy for DLP).However, from native mail app,users are able to save or share documents to the personal accounts configured in Outlook or OneDrive. Is there an option to block this behavior? We use device enrollment. Can we achieve this requirement if we use user enrollment?
*Thread Reply:* Basically you are trying to mix two different ecosystems: native iOS capabilities versus Microsoft Intune MAM. This does not play well. With iOS you can block data transfer from managed to unmanaged (save a mail attachment from managed mail account to a unmanaged app) But OneDrive and Outlook are managed apps, because you distribute them from your MDM. There is no native iOS capability to distinguish personal and business accounts within Microsoft’s apps. That is only offered from with the Intune SDK applied onto those apps. If you want the best experience and manageability, you either have to use all native iOS capabilities and apps Intune MAM capabilities and apps, to do this kind separation between personal and corporate data and accounts. If you start mixing them, like you are trying to do now, you end up with issues like these.
*Thread Reply:* I disagree with your point of view, Marc. What blocking points / issue do you see when using native apps and MAM? You are able to push Exchange settings to native iOS apps and still use MAM. Am I getting you wrong? We are using this in almost all projects.
*Thread Reply:* The iOS concept of managed/unmanaged accounts only works on native iOS apps. The Intune MAM enterprise persona concept only works in Microsoft Intune SDK apps. So there is a disconnect there. One the blocking points is the case that @mahiroux mentions. You can’t control the flow of data on from a native iOS app to a Microsoft app on a persona basis and vice versa.
*Thread Reply:* Why not? The Exchange profile is managed. If you allow data flow with "iOS sharing" (I guess), you can open e.g. Word docs from native mail protected in M365 app with your managed business account there.
*Thread Reply:* iOS does not know if there is a managed business account configured in Word/Office. It just allows it, as Word/Office is a managed app. So in the case of Mahiroux, they allow personal accounts too. Which is fine, if you only work with MS MAM apps, but now users can send data from a managed iOS mail account to the personal account in Word/Office.
*Thread Reply:* You need to set Intune MAM UPN to avoid that. In that case the APP in addition to iOS sharing works it out. You are not allowed to share mail attachments to an unmanaged account.
*Thread Reply:* That does not cover all the use-cases though. It is not the case, when the user is not signed-in with the work account on the MAM app. In that case the file is still opened, with the personal account, unprotected. See https://learn.microsoft.com/en-us/mem/intune/apps/data-transfer-between-apps-manage-ios and then Example 2
*Thread Reply:* I need to double check on this, but I'm quite sure that you need to log in with a managed UPN if you haven't set it up yet.
Edit: You're right - found it in the article. But what happens, if SSO app extension is in place? Is the user able to bypass it?
*Thread Reply:* @Nico Hermeling MAM UPN is added on all APP policy managed apps and sharing documents from work account to personal accounts to these apps are getting blocked as expected however when we have enabled EAS profile,users can share documents from Mail app to personal accounts in Outlook or One drive app.Sharing work to personal within mail app is blocked though.How are you protecting work docs in the above scenario?
*Thread Reply:* See the article Mark mentioned above. If the user already signed in, the data flow is protected. Seems that I was wrong that it's even protected when the user haven't signed in yet.
*Thread Reply:* Quote Deploy IntuneMAMUPN app configuration settings to the target managed app which sends data. Adding the app configuration key to the receiving app is optional. Unquote @Mark Vonk thank you for sharing the article. @Nico Hermeling What i have understood from the document is if we are sending data from Outlook to email profile, then MAM policy will kick in and block the sharing to personal account. Not the opposite.
*Thread Reply:* See Example 2, second part „Sharing from a iOS managed app to a policy managed app with incoming Org data“. The user got e.g. a Word doc attached to a mail in the native mail client (managed Exchange profile) and opens it with Word. If the user is already signed in with the business account, the data flow is protected.
*Thread Reply:* @Nico Hermeling Thank you for the help in sorting this out.I have tested this ok Outlook.When i tried to attach a document from EAS profile to Outlook,I can only choose My work account.I have noticed the same behavior when i tried to attach documents from personal gmail app to Outlook.Is this an expected behavior as anything without a user affinity is considered as organization data?
App Configuration Policy - Can anyone share a working JSON for Samsung Email app with certificate based authentication enabled?
Anyone aware of a method to prevent Apple IDs being added to iOS/iPadOS devices?
*Thread Reply:* "Block modification of account settings" but it requires supervised devices and also impact Mail, Contacts & Calendar account(s).
*Thread Reply:* This is a restriction payload btw.
*Thread Reply:* Perfect, sounds exactly like what I was looking for, thanks!
*Thread Reply:* This worked exactly the way I wanted it. Thank you and have a nice weekend
Hi all, wondering whether some one recognizes this issue. With Android Work Profile devices we noticed an issue while using the search option of the Outlook application, to find a contact ('GAL'), you can search and find contacts. But when opening contacts their phone number isn't being displayed. We could not find any similarities based on OS version, Outlook version etc. However when excluding CA and using Outlook on the personal side phone numbers are displayed while searching for contacts in Outlook. Furthermore on iOS there are no similair issues at all? Any idea? Thanks!
I'm wondering if someone can tell me the best way to pre-configure MAM apps. We are looking to move away from a full device enrollment over to MAM using Outlook Mobile for our BYOD users and are wanting to preconfigure some of the client settings. I thought creating an App Configuration Policy would do the trick but it doesn't seem to be applying to my test group I created.
*Thread Reply:* Did you make sure that people actually try to login? MAM needs user to go through login for it to apply the policy. Without that you can apply it but it will not do anything
*Thread Reply:* Yup I created a test group so that this configuration would only be applied to my test account. I then launched Outlook and signed in. Not only did it not disable Focused Inbox but I'm also noticing I'm not getting the normal compliance policy prompt telling me Outlook is getting managed by corporate policy the way Teams does.
*Thread Reply:* Did you check the APP logs to see what the checkin status in there says?
*Thread Reply:* No how would I go about doing that? This is all new to me as we always used Workspace ONE Prior to this.
*Thread Reply:* Troubleshooting + Support > type in your UPN in the user field and select it > click on App protection > look for Microsoft Outlook and then look at Status
*Thread Reply:* looking at Policy and OS in the same screen shows the name of the policy and helps differentiating between Android and iOS, also Last sync shows when the log was taken
*Thread Reply:* open edge browser and type
*Thread Reply:* Okay so I've confirmed via the troubleshooting piece that all our other policies are getting applied to the account. However this does not seem to be getting applied.
Is there a different option or place I need to go to preconfigure MAM apps? These are going to be used on unmanaged BYOD devices.
*Thread Reply:* Never mind I figured out what I was doing wrong and got it working. I thought I could just create the policy and it would apply. I didn't realize at first I also had to setup a managed app similar to a fully enrolled device for the setting to be applied.
Anyone successfully supporting Salesforce native app with Intune?
Hello Folks,Few of our VIP users need to use apple native app for email and calendar hence we have created an EAS profile and pushing it to devices to connect through Microsoft VPN tunnel as the activesync is not enabled only from our corporate networks.Is there a way to enable activesync externally however limit the access only for certain devices/users?
*Thread Reply:* You could always use quarantining but it isn’t a fool proof way of limiting devices.
*Thread Reply:* you can use certificate based auth and only provide allowed devices with the cert… You can create a conditional access policy to only allow EAS from specific users or you can disable EAS protocol from most mailboxes and only open up for your VIP users 🙂
Apart from compliance policy is there any other way to block a specific public app on a DEP-enrolled Intune device?
*Thread Reply:* You can hide and prevent TikTok from running with a device restriction
*Thread Reply:* Thanks, Peter, that can be a way. Did hide some default apple apps previously it does work.
*Thread Reply:* You can also add TikTok as a public iOS app and assign as “uninstall” since you are running with supervised devices
*Thread Reply:* Anything for enterprise managed Android?
*Thread Reply:* For Samsung use KSP to block the app… If you can use Google Translate.. perhaps this blog will help you?
https://conscia.com/dk/blog/styr-paa-tiktok-paa-mobile-enheder-intune/
Hello Folks,We are pushing MS authenticator app as managed for iOS devices.Since we are on BYOD,users also have their personal accounts MFA configured in the same app.How do i enforce to remove corporate account when device is retired?
For our iOS devices we are, since about a month, seeing problems with MAM rules on Teams specifically. Getting "Connect to the Intune service to continue to access your work or school account in this app. You may need to sign in to connect." and then the account is removed and has to be added once more. Device OS requirement in MAM and compliance is 16.3.1.
Have reported the issue to MS, anyone else seeing the same issue?
*Thread Reply:* We have similar issues. Users not being able to open the MSFT apps since it's stuck on "checking your organizations requrements" or similar. Or that a notification is recieved but the app does not update once it's opened.
We're using MSFT Defender for iOS with the VPN loopback profile. Thinking this can be the issue.
The Company Portal deprecation in ADE change has been delayed
Hi all!
Anyone else having issues with the Microsoft Apps on iOS devices?
We seem to have 2 separate issues.
*Thread Reply:* Hi Anton,
You mentioned that you removed MAM policies. Was there a conditional access policy enforcing client app (MAM)?
*Thread Reply:* If you removed the App Protection Policy in Intune but left the CA policy, it will probably keep devices in a loop when opening MS apps
*Thread Reply:* Hey! Don't think so, but will look in to this, thanks for the heads up!
Hey all.
Has anyone tried to leverage MDM to enrol devices to Intune? Context: I have a client considering moving from WS1 to Intune. Can Workspace One (custom PS1 script or WCD provisioning package) be leveraged to enrol devices to Intune? I suggested gathering device hashes, factory reset and enrolling with autopilot during the migration, but the client asked for a less disruptive approach.
*Thread Reply:* It’s not going to be a clean process, but you may want to check out exodus. https://exodus.tools/
*Thread Reply:* I haven’t personally used them but I have seen them suggested before in this Slack group
*Thread Reply:* Also depending on their management use case they may want to seriously reconsider this move. Intune is relatively terrible at the Fully Managed / Dedicated Device management scenario while WS1 is significantly more capable in that arena. I do not consider them to be equivalent tools and Intune could result a severe downgrade in capability depending on their management needs for the devices.
*Thread Reply:* Another migration tool I heavily used in the past: EBF Onboarder https://ebf.com/en/emm/ebf-onboarder/ You can register for a trial and check it out for up to 20 devices.
*Thread Reply:* We did a migration from WS1 to Intune with supervised ADE enrolled devices.
For the already enrolled devices, we did an "enterprise wipe" from WS1 and asked users to enroll in to Intune like they would do on a personal device (driven by the Company Portal app).
I do believe that we pushed out the Company Portal app from Workspace ONE and we removed the setting that uninstalls that specific app after an enterprise wipe.
We also uploaded a .csv with all of the serial numbers to Intune and set them as "corporate owned".
This meant that devices where still supervised (as no reset has been made), and devices was flagged in intune as coprorate owned with all of the benefits that comes with that. For new devices, we of course changed the ABM sync directly to Intune as well as moving all the existing devices over to Intune. This means that new devices, or existing devices that is being factory reset, still ends up in intune.
This was a huge success and had a limited impact on end users. Only drawback is that the migrated users is able to remove the management profile if they dig down deep in to the settings, as the actual enrollment in to Intune was done using the Company Portal app.
*Thread Reply:* Should have clarified that this is for windows 10. That's why I mentioned the PowerShell or WCD provisioning package. Keep forgetting that this forum is geared toward mobile specialists.
*Thread Reply:* My message was about Win. EBF Onboarder supports Windows as well. Without Onboarder - I would recommend your approach (collect Hardware Hash, upload to Autopilot, reset the device and let Autopilot do the job).
*Thread Reply:* Agree on autopilot, but the client has other ideas. Need something that works without a factory reset as an option. I will look into ABF didn't know it supports win10. We used it ages ago for iOS.
*Thread Reply:* Well, have a look into provisioning package, but you will need a Device Enrollment Manager for that, I guess. Other option is manual enrollment through Settings. Just to get the devices into Intune
*Thread Reply:* Yeah that's one downside that all devices will be under the same name if using a provisioning package.
We use MDM policy(Do not allow managed to unmanaged) together with the MAM policies(Policy managed apps with OS sharing).While testing,i have found that iOS ‘ shortcut’ app is not following the APP policies.Users can make use of shortcuts to share documents from apps such as Outlook or Onedrive with unmanaged apps.Is there a way to prevent this?
*Thread Reply:* Hah. Remove the shortcuts app :)
*Thread Reply:* We have a BYOD policy. Finding for a solution other than blocking the 'shortcuts' app.My expectation was MDM policy to block sharing the data from managed to unmanaged.
Just posting this here for anyone that needs it.. might be relevant to current events .https://www.jeffgilb.com/handling-prohibited-apps-with-intune/
We have Apple devices doing device enrollment. They are not supervised; no DEP.
We would like to allow users to add personal accounts to Outlook, Word, what have you, because there are a number of user have a personal subscriptions.
The issue is that the APP does not seem to get applied like MS says it should – just to the work account
From MS, multi-identity support is the ability for the Intune App SDK to only apply app protection policies to the work or school account signed into the app. If a personal account is signed into the app, the data is untouched.
For enrolled devices our primary APP is set to allow copy and paste between Policy managed apps. This does not let you copy from a personal email account in Outlook to say a text message (or really anywhere).
Opened a ticket and got the spiel about sending screenshots of the policy, logs, etc. and they are investigating. Not holding my breathe.
I started messing around with different settings for the copy paste option in the APP and the app configurations. Remove the IntuneMAMUPN key from the app config. No difference. Set the policy to policy managed apps with paste in. Nope. Changed it to Any app. Still get blocked copying from personal to personal with the added bonus of copying work email to the personal email.
So, has anyone ever gotten this to work the way MS says it is supposed to work?
*Thread Reply:* Correct me if I misunderstood this, but APP will only apply to the work account, so it is working as it should. Everything else is not interesting for APP. Did you check in Outlook and see if the APP really got applied to your device?
*Thread Reply:* Well, if it is set to allow between "Policy managed apps" it does allow you to say copy from work Outlook to work Word. So check for the Policy managed app part.
The issue is that if you also have a personal account in Outlook, it will stop you from copying to other personal apps...say from a gmail address (in Outlook) to a text message or Notes. Even when I set it to allow copying to "Any App" it blocks copying from a personal Outlook account to other personal apps. It doesn't even let you copy from personal apps to work apps (the Receive data from other apps is set to All Apps). So it seems to apply the policy to the entire app not just the work account, which is the exact opposite of what MS says it should do.
I did verify that the devices got the APP applied. Checked in the console, through Edge for each of the apps that are managed, and the diagnostic logs. "ClipboardSharingLevel" equals 3. Even waited a couple days just to make really, really sure it was there.
I am going to try applying different settings to MAM only. I haven't read anywhere that multi-identity only works in MAM but you never know.
*Thread Reply:* You are using MDM policy to restrict copy & paste on MDM level ? Managed apps can have a clipboard restriction. This stays on top of APP as it relies on OS functionality. Maybe you are looking into the "wrong" policy ?
*Thread Reply:* It has been a long day and my brain is slow but I'm not following. Do you mean there may be a clipboard restriction in the Outlook app config?
*Thread Reply:* You guys are both right. Not the APP - which is working fine (only asks for the APP PIN when opening the work account). Copy and paste restriction in the device restrictions profile from iOS 15 and up stops you copying outside of the managed Outlook app.
Now the only issue I am left with is how to stop them copying and pasting their work email straight into their personal email in the same managed app. Looks like there is an Outlook app config that will block personal accounts being added to Outlook but I am not sure how well that will go over on BYOD. Any thoughts would be greatly appreciated.
*Thread Reply:* The combination of MAM/APP restriction “clipboardsharinglevel” = “3" and the removal of the MDM clipboard restriction for managed apps should do exactly what you’d like to achieve?
*Thread Reply:* Could you check your APP on an unmanaged device to see how the behavior is? If you have the clipboard setting set to “3” it should allow copy/paste from outlook personal email account to personal & work account. The paste action from work email to personal email should be blocked?
How would you guys approach a change where you’d have to move Android and iOS devices from one SCEP certificate to a new one? I was thinking about unassigning the old one, waiting 24 hours and then assigning the new one, since I want to avoid confusion on the devices. Do you guys have ideas how else this could be done without breaking anything?
*Thread Reply:* Just to make sure. There is an auto renewal on a specified threshold in the configured scep profile. this is not the solution for your problem, right?
i guess, even if you wait 24h you won’t reach all devices (turned off for holidays, low battery, …). we have a similar situation - microsoft support did ask us to remove our wifi profiles with scep from all devices, wait for some time and redeploy with the new settings. Its a mess but MS support still asks us to go through it.
*Thread Reply:* We've done this. Basically did it the way you have outlined, but didn't even wait 24 hrs. Basically, unassigned the profile w/ original certificate -- waited an hour then assigned the new one. Devices won't all check in or sync back to get the updated profile w/ cert payload but we did it on a Thurs night to accommodate for the bulk of users getting the updates globally, across diff timezones -- so most US devices were A-OK by the next business day, and a lot of users didn't even notice until they were back in on Monday (we use our SCEP profile for in-office corp network authentication) .
We did this for all device platforms. Funny enough, mobile (iOS and Android) were the only ones that didn't encounter any problems -- for some reason our Macs managed with JAMF and our Windows devices all had a hodge podge of small issues encountered.
*Thread Reply:* I did everything as I outlined and it worked.
We are using BYOD approach for the management of iOS and Android devices.Recently we had a security breach due to MS authenticator vulnerability.Security audit has recommend us to limit device registration only within the corporate network.Is there an option in Intune in which we can force user to login to portal and register a device before In app registration using comp portal.
*Thread Reply:* By using Conditional Access rules you should be able to require a compliant device for MS authenticator. However I don’t know what to configure exactly to create the scenario. MS Support case?
*Thread Reply:* Yes, AAD instead of Intune.
You can achieve this with a Conditional Access policy, with Device Registration limited to your corporate network.
Does anyone knows if Intune collects device crash reports the same way the Apple app store does? I couldn’t find anything about this in the logs
What could be the reason for seeing below in Intune audit log for Android devices?
Anyone know if Intune (or any EMM) can collect app inventory data for Android Instant Apps or iOS App Clips? For example, for a compliance policy with restricted apps, or for a security app to scan for malicious apps.
*Thread Reply:* Nevermind, we found the answer: https://developer.apple.com/documentation/app_clips/creating_an_app_clip_with_xcode
• An app identifier for the App Clip, using the full app’s app identifier as its prefix, followed by a string. For example, if your full app’s app identifier is $(AppIdentifierPrefix)com.example.MyApp, the app identifier for your App Clip would be $(AppIdentifierPrefix)com.example.MyApp.Clip.
Friends! I want to deploy shared dedicated Android devices with Azure AD. However I wonder if it is possible to NOT use Managed Home Screen but still be able to sign in/out users with SSO? The reason to why I do not want to use MHS is that its not compatible with Samsung DeX which I also need to use. Thanks!
*Thread Reply:* Hi mate, since Intune relies on AMAPI and Google still don't support native shared use APIs introduced in 9.0, third party solutions are the only option. I'm not aware of Intune supporting any other method than MHS, but I defer to the intune experts
*Thread Reply:* Thanks for your reply Jason 😉 I tried to ask the almighty ChatGPT about it and it said that it should be possible to sign in/out users on a shared device using Intune Company Portal instead of MHS, but I have not found any evidence for that 🙂
*Thread Reply:* I mean it's technically not wrong, but I'm not worried about my job just yet..
*Thread Reply:* true, me neither. But in this case I wish it is right 🙂
*Thread Reply:* @Jason Bayton Do you know if it is possible to allow "Screen overlay" and "Notification" permissions for an app using Knox Service Plugin? Would like to hide those pop-ups and set the permissions from MDM (Intune in this case)
*Thread Reply:* Notification is a runtime permission so as long as runtime is granted that should be sorted. Screen overlay, or display over other apps, on the other hand is a special permission.. notification is shown in KSP interestingly but I don't see equivalent for the overlay I'm afraid.
Thoughts on best handling BYOD -- iOS and Android use cases ? Where to start from in terms of identifying which types of devices are currently accessing company data and how do I enable BYOD devices to be further managed in MDM and then access further company data and if not managed can't access data? Recommendations ?
Is there a way to notify Intune admins every time a new device is enrolled? Customer is a little bit needy LoL
*Thread Reply:* There is a way with Teams webhook - at least for Win devices: https://msendpointmgr.com/2019/07/10/how-to-notify-a-microsoft-teams-channel-when-a-new-windows-device-has-enrolled-in-microsoft-intune/
Has anyone had an issue with the device freezing up when using the Comp Portal workflow for enrollment?
Have a customer reporting it’s getting “stuck” and they can’t get go anywhere but a reset and start the process over — I just stepped through the entire workflow (iPhone SE 2020) and it worked fine.
Yes. It’s simply doesn’t work and nobody wants to admit with the problem is.
Weird. It did actually work this time around… first time I’ve tried it in forever. Maybe just good luck LoL
Does the same thing if you try and lock in the hub with ws1
It’s like it’s doing ADE and that works, but the second it layers on the Comp Portal app it goes sideways
Said an app shouldn’t be managing apple devices anyway
I just use enroll with affinity. Use company portal. No lockdown
Then I work some magic and hide everything but the portal
Once they enroll. It flips a. Switch and everything shows up again
Yeah, Modern w/ User Affinity works great. I get what you’re saying about hiding apps/etc until they enroll, but really don’t want to lead them down that path unless they have someone on payroll who can manage it
Like I say, it’s funny that it just worked. Let me try again and see if I can get a 2nd or 3rd time success
Did you ever have success with it @Sharkey? Is it possible that they’ve remedied it in recent builds?
Nope I’ve tried many times over the years with the same result
Like I said, it happens with a Workspace one hub if you do the same thing. Try setting up a staging user then locking the hub in as a single application mode. And it will freeze on occasion as well.
https://mobile-jon.com/2023/05/29/mobile-jons-guide-to-windows-365-boot/
Did MS push out a change to Intune App protection report? The report is now missing platform version, android patch version, device model, device manufacturer.
Any idea if they moved it or if this information is available elsewhere? Frustrating as this makes operational activity difficult.
*Thread Reply:* “MAM reporting has been simplified and overhauled, and now leverages Intune’s newest reporting infrastructure. Benefits of this include improved data accuracy and instantaneous updating. You can find these streamlined MAM reports in the Microsoft Intune admin center by selecting Apps > Monitor. All MAM data available to you is contained within the new App protection status report and App configuration status report.”
https://learn.microsoft.com/en-us/mem/intune/fundamentals/whats-new
*Thread Reply:* Received an update from MS. The app protection report and missing columns should not have been removed and they will be putting it back in a week's time.
*Thread Reply:* I'm glad Microsoft completed the change testing on this one to verify MAM reporting was good 😜
Anyone utilize intune on their Android tablets to setup a kiosk for time clocks? We are trying to use Edge as it seems to be the only app that allows a kiosk config (Chrome seemingly doesnt have this?) We are using Edge under single app mode and when a tablet is reset it boots back up, starts edge, then when a user interacts with it it starts /another/ edge process
*Thread Reply:* Hi @Anthony,
Have you looked into using a Android Enterprise Dedicated enrolment, and then in the device config, specify Device Experience as Dedicated, Kiosk Mode Single App
https://learn.microsoft.com/en-us/mem/intune/enrollment/android-kiosk-enroll
Powershell resource for Intune, MS are adding sample scripts for tasks: https://microsoft.github.io/webportal-intune-samples/
Annoys me I have to be a power shell wizard to manage intune
I'm curious how do most of you set the following content protection policy? Wipe Data or Block Access for disabled accounts?
Has anyone seen their VPP tokens failing with error "assignedToExternalMDM"? This has just happened to me for a new customer deployment. We deleted/renewed the token and the same issue occured. Have now changed "Take control of token from another MDM" from "No" to "Yes", which seems to fix it, but shouldn't have to do this.
*Thread Reply:* I would advise to create a new location and with that a new VPP token, so you have one unique VPP token per MDM. It will circumvent MDMs fighting to claim licenses from the same pool of licenses.
*Thread Reply:* Yep, but this customer only has one MDM... have never done MDM before (that's what they tell me).
Folks! In Knox Service Plugin (OEMConfig) I have enabled the "Enable E-FOTA client installation & launch". E-Fota app dets installed but it is not automatically launched, meaning that the device does not automatically enroll.
The devices are managed by Intune and enrolled as Dedicated, with Azure AD and have Managed Home Screen in multi app mode enabled. Anyone who knows what I need to do to get the E-Fota app auto-launch? Thanks! //Niklas (edited)
*Thread Reply:* You need to approve a bunch of processes to allow them to run in the background… In MHS
*Thread Reply:* I don’t have the list at hand, but do remember it as being quite long
*Thread Reply:* Hi Peter, Thanks! Thats what I thought. If anyone finds that list it would be much appreciated
*Thread Reply:* do this :
Managed Home Screen debug screen
You can access the Managed Home Screen’s debug screen by selecting the back button until the debug screen is displayed (select the back button 15 times or more). From this debug screen, you can launch the Android Device Policy application, view and upload logs, or temporarily pause kiosk mode to update the device. For more information about pausing kiosk mode, see the Leave kiosk mode item in the Android Enterprise dedicated device settings. If you would like an easier way to access Managed Home Screen’s debug screen, you can enable the Quick access to debug menu setting using device configuration policies or you can set the Enable easy access debug menu to True using application configuration policies.
to find the apps/procs that are blocked…
*Thread Reply:* Thanks again Peter, Will dive in to that. By the way, I plan to visit the beatiful Laesö this weekend and drink some danish beer 😉
*Thread Reply:* Brilliant!! Enjoy the beers and nice country side vibe
Hi, do you guys know if we can check historical phones a user has previously enrolled in Intune? We’re trying to see if a user had any phones enrolled historically
*Thread Reply:* You could check the Audit Log in AAD for the user, which will show previous interactions on the account. AAD might show something in the Devices tab too for the user.
*Thread Reply:* If you are keen you could also use the Intune Data Warehouse / Odata to access historical data. Would probably require some PowerBI work
*Thread Reply:* Audit log for me only can go a month back, but that’s a good starting point, together with the Devices tab in AAD. Does Intune Data Warehouse / Odata store everything or do you know if there is a limit to it?
*Thread Reply:* I have a feeling that the data warehouse shows historical data like deleted devices last time I checked. It's not too hard to setup
https://learn.microsoft.com/en-us/mem/intune/developer/reports-nav-create-intune-reports
*Thread Reply:* This goes into more detail
https://learn.microsoft.com/en-us/mem/intune/developer/reports-ref-user-timeline
*Thread Reply:* I will very much defer to @Jason Bayton on this stuff, but I believe EMM API is different from Android Management API and AMAPI is what Google is pushing everyone towards
*Thread Reply:* Yes that’s my point exactly.. EMM API is different and Microsoft do not use EMM API and it’s not available for new EMM players that do not currently use it
*Thread Reply:* Intune have been AMAPI for yonks, there's no mention of Play EMM APIs in the article. It looks like they're (finally) moving off of some deprecated APIs and bringing UX in line with most of the rest of the iframe-enabled vendors.
*Thread Reply:* It’s just the name of the title that threw me at first. Google Play EMM APIs
*Thread Reply:* Oh yeah, poor wording indeed. How unlike Microsoft to muddy the waters!
*Thread Reply:* I missed that in the title as well, very confusing
*Thread Reply:* They have updated the title page 😂
*Thread Reply:* There are Microsoft folks lurking in here. What's the chances? Ha
*Thread Reply:* Quick everyone right down their gripes and hopefully someone is listening 😂
*Thread Reply:* The list would be too long 😂
I have pushed seclore-intune and Adobe acrobat - Intune app for iOS users.When the users install the app,They receive the prompt to create a new access PIN.Since the users already have access PIN created for other Microsoft apps,should this be shared with other apps including Non-Microsoft apps as the we use same app protection policy for all apps?
*Thread Reply:* It’s a policy for each app since the apps can’t share this kind of stuff.
*Thread Reply:* So only Microsoft apps shares the PIN all other apps will be asked to create a new PIN?
*Thread Reply:* Just read Microsoft document,PIN is shared among all apps of same publisher.
Folks! Being quite new to Intune I have, what might seem like a newbie question. In a dedicated android device scenario, If I add: "android.app.extra.PROVISIONINGLEAVEALLSYSTEMAPPS_ENABLED":true in the Zero Touch enrollment profile, Do I still have to assign "Android Enterprise System Apps" in order to get certain built in functionality to work? Guess not right?
You may find certain apps are still missing when you do it this way and it can vary by manufacturer. I always tend to leave it enabled and then block but others may do it the opposite way round
*Thread Reply:* I prefer that way as well as it is otherwise difficult to know just how many manufacturer apps and services have been blocked. I personally find it easier to manage blocking than figuring out which apps need to be re-enabled
*Thread Reply:* Exactly my approach too
Any ideas how to uninstall Required app on Android Enterprise Fully Managed device? (not to add the device in exclusion group and then add the group to Uninstall, looking for other ideas if there are any)
We are observing, Intune started capturing the Serial no's /IMEI's of Samsung Android 12 device and device type is BYOD -> Work Profile. did you see this in your environment? Model affected are -> SM-A,G,S,G,M SERIES. #microsoftintune #androidenterprise #byod #samsung_intune
Hi, Anyone else having problems with WiFi profiles on Android 13 with Security patch June 01? All devices we enroll in Intune with this version get the following error codes, 0xc7d24fc5 and -942518331 //Niklas
*Thread Reply:* Yeah, I had a bunch of users yesterday who were unable to connect to corporate Wi-Fi on Android 13 devices + latest SPL. All devices enrolled with MI Core.
*Thread Reply:* @Phil Hackett Ok, so not isolated to Intune then. Do you have any workaround?
*Thread Reply:* No workarounds yet 😔. I’ll open a case with MI support and see if they can engage Google. But I’m not gonna hold my breath.
*Thread Reply:* Do you happen to know the # for the issue MI have open with Google?
*Thread Reply:* I have a open ticket with Microsoft regarding this matter.
*Thread Reply:* We’re using Workspace ONE and just opened a VMware case 23442556606 for this as well.
How do i see the MS defender VPN logs ?I am currently facing an issue with one of the app.Need to confirm app data is getting tunneled.
Does anyone have any tips on automating alerts for Intune connectors. E.g. DEP/VPP token renewals to raise a ticket into ServiceNow
We’re looking into webhooks with the Microsoft graph API but wondered if anyone has done anything similar
*Thread Reply:* https://tech.nicolonsky.ch/monitor-apple-token-expiration-in-intune/
*Thread Reply:* You could do a fair bit with PowerShell, or send it to a PowerBI Dashboard alternatively
*Thread Reply:* We’re doing a lot with PowerBI at the moment that was going to be my next thing to look into even if it’s just a visual output for now. Will take a look at that link. Was just curious if anyone had done anything funky or something I haven’t thought about yet
*Thread Reply:* Do share if you find something interesting, I just create an Outlook reminder for the next expiry date whenever I renew it.
*Thread Reply:* Yeah that is the simple thing but we also want to monitor the sync not just end dates. But also monitoring the cert connectors too. I need to speak to our Azure team and see if we utilise Azure automation then we can utilise Graph API for automated alerting
Hi, Maybe an Intune-newbie question, with risk of beeing expelled from Mobile Pros... If I assign an app to "All devices" and add a filter excluding device A, AND add an assignment for the same app to a dynamic device group where device A is a member. What is the expected result? Thanks in advance!
*Thread Reply:* I guess that is not a very common assignment setup, because I have never seen such an assignment. But I would think the app will be required (installed) or available to the user on the device.
*Thread Reply:* In Microsoft Intune, an assignment rule with an exclusion takes precedence over an inclusion rule. So, even if you assign an app to a dynamic device group where device A is a member, the exclusion rule will override this and the app will not be installed on device A. 99% percent sure 😁
We had deployed an app through Intune with VPN profile.Later app was removed from intune portal however when users download it from app store,app still shows managed and traffic from the app is routed through VPN.How do i make sure the app is no longer managed?
*Thread Reply:* Was there a seperate VPN profile set in Configuration Profiles? Is the user still enrolled and receiving that VPN Profile?
*Thread Reply:* The behavior you're describing suggests that the app's management profile (including the VPN configuration) might still be active on the devices, even though the app was unassigned or removed in Intune.
*Thread Reply:* @Nick Knight There is VPN profile for iOS devices which is available on user phone.App shows under VPN profile though it is removed from Intune.
*Thread Reply:* The VPN profile will persist if you only remove the VPP app, and you have not removed anything else. That's expected behaviour
*Thread Reply:* We do have other apps which require which are tunneled and require VPN profile.My expectation is once the app is removed from user group and deleted from intune portal,App should be removed from device as well as VPN profile.This is something i had witnessed from when we were using Ivanti.
*Thread Reply:* You may need to update the VPN profile and remove domains/URLs that call the VPN if it's set to Per App
*Thread Reply:* We don’t use any domain rules in the VPN profile.I have opened a case with MS support.They are currently testing this on their side.Thank you so much for your helping hand.
Has anyone came across an issue with IOS BYOD device stuck in compliance policy not evaluated status and users unable to use work apps? Any known fix for this issue?
*Thread Reply:* Hey @mahiroux Is the device checking in and is it healthy? Company Portal and Intune will show which compliance policy is failing and requires remediation.
If users are unable to use work apps, sounds like a Conditional Access policy is used for enforcing compliance. This could be disabled temporarily while troubleshooting.
*Thread Reply:* Default compliance policy got applied successfully and there is one more policy which we are pushing specifically for iOS devices which is failing on affected user devices.Troubleshooting page shows Intune compliance as pending and AAD compliance as Non- compliant.
Anyone using Defender for Endpoint on Android? Our users are able to bypass the warning on a phishing site. I don’t see a setting within the app configuration policy to prevent that. Can anyone confirm that this works as designed?
*Thread Reply:* Hey @Mikey2000 I think the behaviour might be managed in the MS Security portal, specifically, if it blocks or just warns and allows bypass for a user on the IOC/Cloud App.
Under Enforcement
*Thread Reply:* But that would mean I have to create indicators manually and it is impossible to do based on phishing sites. How would I create indicators of events that didn’t happen yet.
Any forum newly created to evaluate the iOS17.0 features with Intune mdm ?. if so please share.
Would anyone here be interested in a free security assessment of their Intune environment? I'm developing a product and need some sample environments.
Just out of curiosity - how do you guys handle conditional access for mobile devices. Do you use only the compliant status within the CA policy and a compliant device always gets access right away or do you also enforce MFA on mobile devices like you would with a desktop client, like reauth after some time?
*Thread Reply:* This depends on your security strategy. For example our ZTNA policy is basically everything is untrusted and always ask for MFA, even if it’s an enrolled and compliant device. It’s not the most user friendly experience but security teams are never known for being the ones user love!
*Thread Reply:* I know what you mean. Currently our CA policy is that all users have to reauth every 6 hours on every device. And like you mentioned the usability, our mobile device users are complaining a lot. So we are thinking about adjusting that.
*Thread Reply:* We set the policy to require MFA slightly less often (depending on the resource being accessed, since some internal sites or apps may have more sensitive data) if the device is managed and compliant. Having less MFA prompts required is also a nice 'carrot' to get people to get their mobile device into management (it's not 'required' but an opt-in for most of our BUs). It's fluid though, as complainers are going to complain and too lenient can be argued 'less' secure....
If you need to change your pin code on a device, under “Face ID & Passcode” when it prompts the user, the numerical keyboard comes up. However, in our environment when a PIN code expires (every 90 days) they are prompted to change the Passcode and a full QWERTY keyboard comes up. Our users are now putting in passwords instead of a 6 digit PIN code. This is confusing users, they are conflating their network password with your company iPhone iPad passcode. Moreover, if a 6 digit PIN is mandated in our environment, why does the full QWERTY keyboard pop-up when all they need is a numerical keyboard. Is this by chance a setting that can you be tweaked in Intune?
*Thread Reply:* There are 2 settings that might force a non numerical keyboard to show up : "Required password type" and "Number of non-alphanumeric characters in password".
Can you share your current Password profile configuration ?
*Thread Reply:* See attached image. I can’t really get a screenshot from our environment so this will have to do.
*Thread Reply:* The configuration is correct. Are you able to reproduce the issue by going to Settings > Face ID & Passcode > Change passcode ? Do you see the "Passcode options" menu on top of the keyboard ?
*Thread Reply:* You can also check if an Exchange Mailbox policy has been set which can override MDM passcode policy (the strictest policy wins).
*Thread Reply:* Thanks @Steven. To answer your first question see attached
*Thread Reply:* And as to your other question about the Exchange mailbox policy, I don’t have access to that in our tenant. I already put a ticket in with MS on this, but have yet to hear back from them.
*Thread Reply:* @Ray Domingue did you get anywhere with this? The behaviour that you described seems normal from my testing as well.
Deploying the password policy with a dynamic device group means that it won't interfere with the ADE password policy. But might do so on the next password refresh
https://www.reddit.com/r/Intune/comments/13l4ib4/6digitpasscodeenforcementfor_ios/
Good old Microsoft! Can you spot the error... :face_palm:
*Thread Reply:* lol, why is it labeling Android devices like that
*Thread Reply:* no no these are actually iOS devices
*Thread Reply:* oh okay, what is the issue then other then the label being wrong?
*Thread Reply:* Oh no issue just found it funny that it was classing them as Android devices.
*Thread Reply:* If you want to test to see if your affected, check App protection policy check ins for a specific user and see if you have the same for an iOS user
We are using BYOD work-profile for android devices.We have blocked ‘adding or removing accounts’ using restriction policy.Some of the Samsung users (Noticed with Android 11 and 12)have reported that when they change their AD password,they are unable to update their password in Microsoft apps.I need to either remove the policy temporarily or users need to reenroll their device.Is this a known issue?
*Thread Reply:* I’ve only recently seen this issue with iOS devices in our Intune tenant. Raised a ticket with Microsoft a while ago, didn’t really get help and they said that there was no issue from their side. What helps as a workaround for us is going into Apps > App Selective Wipe > Select the affected user and then send the command. This kinda clears the cache and gives users the possibility to sign in again, without having to reenroll
With MobileIron we had the possibility to create a certificate enrollment as „Single File Identity“. Is there no such feature with Intune?
Is anybody else seeing “SafetyNet device attestation (Check basic integrity and certified devices)” marking Pixel devices Non compliant in Intune?
*Thread Reply:* Yes, i had that issue on my pixel. Re-flashed the device and it checks safetynet now, no issue.
*Thread Reply:* You reflashed it? The employee I had did a factory reset and then a clean setup of the device with no data restore or app installation, still same issue
*Thread Reply:* Used this tool to flash https://flash.android.com
*Thread Reply:* Factory-reset won’t resolve it.
*Thread Reply:* But what is happening to the device for this to occur? Flashing the device is not a viable option for us
*Thread Reply:* It looks like a one (or few) packages were corrupted. Flashing the device with that tool is straightforward, and it might be similar to resetting a device.
*Thread Reply:* I could flash a device that is not a problem, but that is not a solution that I can present to non tech savvy employees who just want the phone to work. Is there any official communication out that this is happening? I couldn’t find anything about it. @Jason Bayton do you know anything about this?
*Thread Reply:* This happens across OEMs randomly a lot, and particularly with Intune in my experience.
Most of the time it clears itself up without intervention, but I suppose it's going on a little too long for your devices?
Raise it with MS in the first instance, after you've done basic checks on the employee devices to confirm they're not unlocking the bootloader, running betas, or otherwise fiddling with things they shouldn't.
*Thread Reply:* Had one user who is also my boss reach out to me with this issue and so I checked to see if more devices have that issue, found a few more so I was curious if this was a known issue and if there was a fix for it
*Thread Reply:* Update to my above comment, I believe there may actually be an issue with safetynet at the moment. Logging it with MS will allow them to reference this with Google.
*Thread Reply:* Looks like they rolled out an updated that resolved the issue, out of the 6 non compliant devices I had yesterday 5 are compliant now and the last one is yet to check in.
Are there good resources available or ones that you may have used, to put together a gap analysis of Intune vs Workspace ONE UEM? Primary gap analysis for iOS/iPad OS management and Android Enterprise management. Both Corporate Issued and Personal Devices. Single users and shared devices.
*Thread Reply:* For Android Enterprise Corporate Owned / Fully managed I can attest to WS1 being much better than Intune. I cannot speak to any other use cases as my specialization is fully managed Android Enterprise. Relative to that use case however, Intune is one of the worst products
*Thread Reply:* WS1 has a custom DPC (agent /device client) which enables it to perform the base AE spec’d management capabilities + more. This unlocks capabilities like file management on device and direct APK installation and version control. Intune is heavily aligned with the AE spec and therefore its more of a lowest common denominator when it comes to managing those features. In other words WS1 can do all the same AE management options as Intune, since Google sets the spec of what needs to be supported. WS1 just goes beyond that to offer additional capabilities through their custom DPC. File Management and direct APK installation with proper version control are critical for line of business devices from my experience.
*Thread Reply:* But you mentioned Corporate Issued. If these are Corporate issue cell phones that are still personally enabled then that use case is different than the corporate owned, fully managed use case that I’m referring to
*Thread Reply:* We have both. COPE is part of what we're looking at too.
Do you have any feedback on iOS/iPadOS management?
How do i fix this notification for defender app which our android BYOD users have started receiving on their devices recently.
*Thread Reply:* I’m assuming you mean the device is at risk message. Users will have to click and allow the relevant permission it’s seeking (I’m assuming file/storage access which is what it usually is). I’m no expert on defender but I’m sure you should be able to autogrant the default app permissions.
*Thread Reply:* Thank you for the insight.Defender app requires location permission.When i grant the permission,notification disappears.As you suggest,I will check the possibility of auto granting the location permission via app configuration.
*Thread Reply:* It was too early to confirm.Notification came back.Not sure what permission app requires.
*Thread Reply:* Might be worth checking what has been granted already. I’ve never actually deployed defender in the wild only for testing and my permissions were always storage related!
*Thread Reply:* Is it asking for the same permission to be granted each time?
*Thread Reply:* Available options are all selected.
*Thread Reply:* But if you click the notification what does it ask for?
*Thread Reply:* It redirects to the app.Doesn’t show anything related to permissions.
*Thread Reply:* If you open the app and click app security what does it show?
*Thread Reply:* Was about to say you should delete that photo 😂 for security
*Thread Reply:* Sounds like something in your app config might be off
*Thread Reply:* Thanks.Let me look into these areas.
Anyway to ensure an app stays up/reboots on Android management? We use Edge with an Intune app config policy to put the app into kiosk mode and run a web timeclock. We are running into an issue where the tablets end up on a black screen after what I presume is Edge crashing -- and not reopening unless I hold the power button to display power options and back out of them
To my knowledge: there is not anyway to put Chrome into a kiosk mode? i.e. hide the url bar and nav buttons?
Any idea what might be triggering the need for Outlook to become a device admin app? This is after successful login and App Protection Policy has been applied… has only recently started happening…
*Thread Reply:* Something you applied is asking outlook to be able to read outside its container. Some thing in the app policies? Look through what you are applying and see if anything might seem like it’s checking device posture etc.
*Thread Reply:* Yeah weirdly nothing has changed in the app policy for a good few months. Just started over the weekend. Only thing that has happened recently (within the last 2 weeks) is a new conditional access policy requiring an app protection policy be applied. But I can’t fathom in my brain how that would activate device admin!
*Thread Reply:* Maybe an Exchange mobile device mailbox policy?
*Thread Reply:* That’s what MS have said so I’m getting our Exchange admins to check but they haven’t made any “changes” lately either so confused why it’s appearing all of a sudden
*Thread Reply:* This gives me PTSD from managing exchange on mobile in the old days. Those exchange policies..
Maybe IT patched your exchange servers and accidentally set a policy
*Thread Reply:* Yeah just got hold of an exchange admin so we scheduled some time in later to review! Thought my days of device admin were in the past! 😫
*Thread Reply:* So there is an exchange mobile policy enabled but it hasn’t been modified since 2021! I’m baffled as to why it’s just starting now
*Thread Reply:* Is this MAM only? I noticed the same with MAM only, application protection policy that enforces a PIN but also conditional launch on Android version and rooting. A conditional access rule that only allows access when the APP has been applied. It seemed without the CA rule, we did not see the Device Admin activate, but with the CA applied, we do. Does that sound similar?
*Thread Reply:* That sounds exactly it! We recently just deployed a CA with that exact parameter!
*Thread Reply:* Did you ever find a fix/workaround?
*Thread Reply:* No unfortunately. It is weird that a CA rule somehow forces that. Or maybe, at the same time, the APP acts differently? It wasn’t an issue for my customer, so we accepted it as is to be honest.
*Thread Reply:* I’m still going to try get our exchange admins to delete the exchange active sync mobile policy against a test user and see if that has any effect
Hello! Is Microsoft Launcher only possible to manage on a "Corporate Owned Business Only" enrolled device?
I have a use case where I enroll Dedicated android devices, I want to centrally manage the wallpaper etc but I cannot use Microsoft Managed Home Screen for other reasons.I manage to install the Microsoft Launcher app and manually start it, however the app-config (containing wallpaper URL etc) is not applied.
*Thread Reply:* Hi, we're using MHS for AE Dedicated Devices. Currently we're not managing the wallpaper, but all other settings were applied.
@Jordan Philip has joined the channel
I remember reading a post (may not have been here) that showed how an admin can see via a browser what Graph Permissions are being utilised when clicking through certain things in Intune. Does anyone know how I can view this. If I remember rightly, it was using some of Edge/Chrome extension but can’t remember exactly
*Thread Reply:* Graph X-Ray?
https://microsoftedge.microsoft.com/addons/detail/graph-xray/oplgganppgjhpihgciiifejplnnpodak
*Thread Reply:* Looks like that will do the job! Thanks @Nico Hermeling
Any suggestions how to set android device name to SN or IMEI in a good, automated way? I only know that we can rename individual device but we need automation. Any ideas folks?
*Thread Reply:* We created a logic app which uses graph API to achieve something similar.
*Thread Reply:* @Daniel is it possible to share your solution (send in dm)?
I use a script I run every five minutes in recently enrolled devices.
*Thread Reply:* @Sharkey Is it possible to elaborate more on that and maybe if you can share the script?
*Thread Reply:* I use some graph api scripts that rename the devices. It targets the devices that were enrolled today and I have it running on a server in schedule. I’ll see if I can clean it up and share it. It’s pretty specific to my use case right now.
*Thread Reply:* @Sharkey thanks for info, would appreciate if you can share the script later 🙂 👍:skintone2:
*Thread Reply:* What are you changing? The management name in Intune or the device name on the device? I'm searching for an automated way to change both names as well, but haven't found anything. We're using Android Enterprise Dedicated (kiosk) devices.
*Thread Reply:* @Nico Hermeling I want to change device name and we are also using Dedicated (kiosk) devices.
*Thread Reply:* I’ll try and clean it up today. But I’m changing both. It’s using different graph calls. It’s quite the pain in the a$&. But it works.
Any ideas how to export device data that contains which Enrollment profile the device have? (located under Hardware > Enrollment Profile when going in into a specific device)
I am looking for json values of the Samsung Email app for Intune - can anyone tell me the values for the easperiodemail - I want to configure to sync all mails.
*Thread Reply:* https://docs.samsungknox.com/devref/knox-sdk/reference/com/samsung/android/knox/accounts/ExchangeAccount.html
syncLookback is the key. Number of previous days to sync email Value 1 - 1 day, Value 2 - 3 days, Value 3 - 1 week, Value 4 - 2 weeks, Value 5 - 1 month
Tbh: I am happy there is no “forever” option, as it is a horrible idea to sync all mails…
*Thread Reply:* Thank you Mark. I was not able to find that.
*Thread Reply:* Just out of curiosity - why would you say it is a bad idea to sync all mails?
*Thread Reply:* Unnecessary data usage, load on Exchange during initial sync and all syncs there after. Search is working pretty well in most mail apps and the search is typically ran on all items in the mailbox, not locally on the device.
Anyone had any joys using Edge on iOS with URL allowlists. I have followed their guide and used the following format “<https://%20.domain.com/|https:// ><https://%20.domain.com/|.domain.com/>* - without space)* as a catch all for that domain but just get “Site Blocked” error. Any specific format that people have used for domains and sub-domains
*Thread Reply:* https://.http://domain.com/|domain.com/** should match all subdomains
*Thread Reply:* Yeah I tried that but it just blocks everything including the domain I added to the list. If I go to
*Thread Reply:* It doesn’t show up in there either
*Thread Reply:* https://http://domain.com/|domain.com/** should match everything-domain.com
*Thread Reply:* And you are typing the https:// in the browser right?
*Thread Reply:* Yup I thought that and even added in http but no joy
*Thread Reply:* Think it’s going to be a case to MS at this point
*Thread Reply:* Using a pipe | to separate the values (no spaces)? It used to work with a custom XML (that I know of), maybe try that in designer mode?
*Thread Reply:* I’m using the native app configuration settings that MS have built in to the iOS app. I don’t recall seeing the designer mode but will try check again. I’m only attempting it with one URL at the moment so need to pipe the values. Will play with it again today. I remember having the same issues with Chrome the first time I used Allow Lists, so it’s probably just me doing something incorrectly 😂
Is somebody else seeing this thing where a lot of the personally-owned work profile Android devices are all of a sudden not reporting their Security Patch Level anymore? I know that Android is pulling more and more information when it comes to personal owned devices, but running my daily script this morning it gave me feedback that the majority (80 %) of devices all of a sudden have this field set to Blank gave me the feel that this might be more of a bug then this being expected behaviour. And it’s different OS versions, some are 12 most are on 13
Is there a restriction for iOS devices to block the ability to add a network share within the files app? We want to block users from adding SMB shares.
*Thread Reply:* In order:
First you find out if Apple actually supports such a thing: https://developer.apple.com/documentation/devicemanagement/restrictions It does:
allowFilesNetworkDriveAccess
boolean
If false, prevents connecting to network drives in the Files app. Requires a supervised device. Available in iOS 13.1 and later.
Default: true
Then you look for something similar / named roughly the same in Intune: https://learn.microsoft.com/en-us/mem/intune/configuration/device-restrictions-ios It does:
lock access to network drive in Files app: Using the Server Message Block (SMB) protocol, devices can access files or other resources on a network server. Yes prevents accessing files on a network SMB drive. When set to Not configured (default), Intune doesn't change or update this setting. By default, the OS might allow access. This feature applies to: • iOS 13.0 and newer • iPadOS 13.0 and newer
*Thread Reply:* Thank you Mark 🙌 🍺 I bet there is no config yet to configure a network share within the portal like you could with MobileIron Docs@Work. I am searching now. 😀
*Thread Reply:* No AFAIK, there is no option to remotely configure it
How to use ‘Android Enterprise dedicated devices with AAD shared mode’ with certificate-based WiFi? I want users to be able to access certificate-based WiFi when logged in in this mode, is it possible?
*Thread Reply:* Sure. Depends on your requirements but we achieve it with a device scep profile and a WiFi profile referencing this for authentication and voila, device is in corp WiFi by using cert based (bound to the device) authentication.
*Thread Reply:* Okay, sweet! How about Shared iPads using temporary sessions (not managed AppleID)?
*Thread Reply:* I believe it is exactly the same approach. As the shared iPads are enrolled to intune you can equip them with scep and wifi profile.
is it possible to push one app protection policy to iPhone and a different app protection policy for iPad of same user?Basically,I would like to push different ‘incoming organization data’ setting for iPhone and Ipads?
*Thread Reply:* You would need to use filters. But the below is something to bear in mind which can catch people out.
For iOS/iPadOS and macOS devices, use the model identifier. Don't use the model name. Only model identifiers are recognized for Apple devices. For example, for iPhone 8 devices, enter the model identifier as iPhone10,4 (no spaces).
*Thread Reply:* I have added these devices as corporate devices(using serial number as corporate identifier) and created a dynamic group for these devices.Then i have excluded newly created group from old APP and pushed new APP to these devices.Now user should have old APP for personal devices and another APP for corporate iPads.But this is not working.Users still have old APP policies applied to the devices.
Did somebody ever use the the option to enable lost mode on supervised iOS devices through Graph API? If yes, how did you make it work? I’m following the documentation below and constantly receive an 400 - Bad Request response even though everything looks exactly as in the docs. Also all other calls, for retire for example, do work without any issue
*Thread Reply:* Did you try it on the preview graph instead? Sometimes I find they don’t actually have things in the “stable” graph release. Just a thought.
*Thread Reply:* yeah, I’m using the “beta”, 1.0 officially doesn’t even have that in their docs, even though they have “disableLostMode”, very weird
*Thread Reply:* Yeah. It’s MSFT lol. Where you have to use beta for prod work lol.
*Thread Reply:* lol, I know right and then it’s really hit or miss, because with this one I feel like I’m doing everything right and something is off in the backend. when I reach out to them they probably gonna tell me “don’t use the beta for production tasks” - yet the production API doesn’t have that function….
*Thread Reply:* We usually go and look on the requests the intune frontend is making by using the developer tools of edge/chrome etc.
Just start the tools, make the action within the intune frontend for a test device and look how they are building the request. Maybe this helps ?
*Thread Reply:* Yeah, that’s what I also do and also did this time. I’m using the exact URL and payload that it gave me and the result is still 400: Bad Request. Will have to further investigate
Can anyone confirm that the app configuration police for Gmail on Android Enterprise shows only the runtime permissions, but not the configuration keys? When I save the configuration I can see the empty values in the summary, but I can’t configure them because I don’t see them.
*Thread Reply:* Confirmed
If I deploy a MAM/APP policy to a set of users, but not enforcing it as a requirement via Conditional Access - how does it work? Does the MAM/APP prompt show up but is optional?
*Thread Reply:* As it’s based on groups, the conditional access piece is more of a fail safe in case the user is not in the group for targeting the APP policies. We just turned on conditional access as a fail safe in case users were not in the group they can’t have access to company resources
*Thread Reply:* I found that if a user met the prerequisites, (had client app and assigned app protection policy) the MAM would apply, however it's obviously not enforced.
*Thread Reply:* I recommend that if you are considering a MAM deployment to send the App Protection Policies first and then after a time period, activate the conditional access. This way, apps will onboard naturally and there will be less user impact at enforcement time
*Thread Reply:* I don’t think this approach is sustainable. Not for large deployments anyway. CA policies should always be the first thing that is checked and governed, then additional features like MAM should be checked then allowed
*Thread Reply:* If you apply CA without a relevant app protection policy already synched to the device, the user will be blocked. Probably won't be a happy user. Groups should be indentical between app protection and relevant CA (unless you intend on blocking BYO for some users)
Android dedicated device with multi-apps - do I have to add the managed home screen also to the device restrictions or is it enough to only assign the app?
*Thread Reply:* ~You need to assign MHS app to your devices as well.~ Sorry, posted to quick... You do not need to add the app in the multi app section of the device restriction.
Anyone with experience from using Knox Remote Support in combination with Intune?
Anyone else having real issues with intune today? My profiles are not working right across several tenants. Nothing is installing or removing like they should.
Friends! I have a public android app assigned to a dynamic device group containing a large number of dedicated devices. The update priority is set to Postponed Then I have another device group containing a subset of the devices assigned, but with the update priority set to High Priority. My idea was to be able to test upgrades of the app on the devices in the High Priority group before installing it widely to the large group.... but no 😞 ALL devices get the "postponed" assignment. Any ideas of why? One more detail, the second assignment with "High Priority" was added after the one with "Postponed". So, the app was originally installed on all devices with "Postponed"
*Thread Reply:* Can you add the subgroup to exclusions in the postpone group? Probably not the best way to do it but it should work
*Thread Reply:* Yep, I tried that but the result was that the app got uninstalled
*Thread Reply:* Yes, it is really strange and no logic at all. Im thinking, all devices got the app installation from the "postponed" assignment originally. I then added the other "High Priority" assignment... Could it be that since the device already have the app installed from the original assignment, it doesnt care what other assignments I add? (Doesnt make sense, but would explain the behavior)
*Thread Reply:* I think there is some kind of conflict which intune resolves. Wouldn't expect this to be considered as an issue by MS... Maybe you should try a filter approach ? Something similar is described here: https://learn.microsoft.com/en-us/mem/intune/apps/apps-deploy#how-conflicts-between-app-intents-are-resolved
*Thread Reply:* There may be a bug and you need to report it. Verify by getting the "App" V1 deployed to the "deviceA" and then pushing "App" V1.1 to the "deviceA" with Postponed Enabled. If the V1.1 gets deployed, it means there is a bug.
*Thread Reply:* Could also be because devices in TESTDEVICES are also in the NEDAP or other way aroud.
Folks! After the latest update of MS Managed Home Screen some devices (not all strange enough) starts flickering at the log in screen. Anyone experienced the same?
@Walter Schuetz Junior has joined the channel
Has anyone ever seen the error code 2016332086(4026:Removal date in the past) for an iPhone? I looked it up in the Microsoft documentation and couldn’t find anything about it.
*Thread Reply:* This is a service error according to MS. This usually means a support ticket is needed to check Something in the backend.
*Thread Reply:* Interesting, because I had two tickets open so far and they would tell me that was an issue with the device and the error code is nowhere to be found on the error page linked, I looked it up multiple times.
we're kicking the tires on Intune again. I have a few questions about Android work profile devices:
Folks! Regarding Device Passcode restriction policy. We have dedicated Android devices enrolled in Intune. Depending on what dynamic device group the device is member of, it should get different configurations for different use cases. One of the device groups has a device restriction profile assigned, with a Device Passcode setting. Problem is that it seems that Intune can only enforce (prompt the user) to set a device passcode on enrollment, not at a later state. Since we need to be able to change device restriction policy dynamically this is an issue. Anyone have a solution to how to force a device passcode policy to a dedicated device without assigning it to "All devices" upon enrollment?
*Thread Reply:* Yeah I've seen this issue, due to dynamic device groups being slow to populate and then send policies to devices. I typically use User groups with a filter for much faster assignments post enrolment. You could try a filter with All Devices. The filter can be the enrolment profile name. That might assign faster as it would be using the virtual All Devices group
Does anyone know a way how to block URLs for Firefox on iOS and Android? Documentation is not really helpful
*Thread Reply:* I am not sure if that is even possible. It being mainly a personal browser in most cases, I wonder about the use-case.
*Thread Reply:* Oh okay, Edge, Safari and Chrome do offer possibilities that’s why I was curious if Firefox had the same and I’m simply not able to find instructions.
@Derek Jacobson has joined the channel
Hello! We use Managed Home Screen and enable overlay permission for it. Some time ago we ran in to problems when a site browsed to in Edge could not ask for permission to use the camera. This was solved by setting the "Enable Overlay Permission Detection" to false in the app configuration for Edge.
Now however we are experiencing a similar problem, probably since a new release of Edge. When we browse to the same site, it asks for camera permission, but we cannot tap either the Block nor Allow button and we cannot get passed that screen. If I exit Manage Home Screen (Exit kiosk mode) I can grant access for the camera without a problem.
Is there a way to set a lock screen message on iOS and Android? I can use the Config for Lock screen message (Footnote) but the message displayed is too small and at the very bottom of the home screen. Is there a way to change the size? or any other option to display text (if lost please contact ...) message on the device home screen? Any help is appreciated.
*Thread Reply:* You could create a lockscreen wallpaper with the info overlayed on it.
*Thread Reply:* Yes, I can do that for iOS with a config profile but for COWP Android devices I cannot find any way to push the wallpaper.
*Thread Reply:* With Android Enterprise, the only way to do it is with a lock screen message.
This should be quite easy and I am probably missing something. Let's say I have a security group(s) defined for ADE/corp enrollment and BYOD authorized enrollment, but I have a user in both. If I have a profile that is specific to ADE/corp devices or byod devices, how do I make sure those profiles only deploy out to the correct devices? I assign the profiles to the ADE/corp security group, but because the user is in both, the device gets both the ADE/corp profile(s) and the BYOD profile(s). This is very easy and simple with other vendors.
*Thread Reply:* Look into using filters. I use the enrollment profile field as a filter. If it has a profile, it’s an ADE device.
*Thread Reply:* Seems it really is that easy
*Thread Reply:* Filters are brilliant. In a simple environment, you can get away with not having any groups at all :)
Does anyone else have this problem with new out-of-the-box devices? After I complete the iPhone initial setup, I cannot proceed to the Intune setup the phone freezes. Intune's sign-in page appears after I reboot the iPhone (volume up and down, then power button). We've ADE setup with Run Company Portal in Single App Mode until authentication. There is no problem with re-enrol devices.
*Thread Reply:* This is a common issue with single app mode. You should really consider moving to Setup Assistant with Modern Authentication instead of Company Portal in Single App Mode. Yes it introduces a need to login to the Company portal after login but saves so much headache when the company portal just hangs in single app mode.
Happy new year! Anyone using Managed Home Screen and experiencing that when a web site asks for permissions to access the camera, location, etc you cannot tap Allow or Block buttons?
https://mobile-jon.com/2024/01/17/new-windows-365-boot-features-in-public-preview/amp/
@David Johansson has joined the channel
Hey everyone I'm curious have you ever seen where your MAM users have to randomly re-register there Outlook app in order to keep syncing email?
*Thread Reply:* Yes, only on iOS devices. I noticed it happens only when I don't open the Outlook app for a couple of days.
*Thread Reply:* That might be the Offline grace period in the Conditional Launch settings of the protection policy: https://learn.microsoft.com/en-gb/mem/intune/apps/app-protection-policy-settings-ios?WT.mc_id=Portal-Microsoft_Intune#conditional-launch
@Yannick Weijenberg has joined the channel
@Jeremie Conrey has joined the channel
Some of our users have reported issues on their ios devices (BYOD device enrollment)with latest versions.Apps auch as Whatsapp and Phone app become unresponsive.These apps functions normally upon intune profile removal.What could be the root cause and any workaround?
What version of iOS are they on? On just a standard, non-enrolled IP15PM, I saw this lately with some apps. The phone was on 17.2.1. It required a finger combo hard restart and it went back to working normally. Last time this happened to me was when I was connecting my airpods to make a call and the phone completely locked up. Restarted my phone and it actually reset my airpods and removed them from my icloud account.
They are on 17.2.1.Some of these users were facing delay in contact search and managed to fix by disabling siri search in Contacts settings.
I'm setting up Knox Mobile Enrollment (KME) with Intune for the first time. I created the Intune token and configured the KME profile which is assigned to a test device but that device never gets the KME/Intune screens during setup. I see the screen shown in the screenshot below but its not getting enrolled. Can someone point me in the right direction as to what may be causing the issue?
I reviewed the MS and Samsung instructions as well as these instructions and everything is configured properly from what i can tell. https://www.petervanderwoude.nl/post/using-samsung-knox-mobile-enrollment-with-microsoft-intune/
*Thread Reply:* Potentially a port related issue, have you checked the following documentation: https://docs.samsungknox.com/admin/knox-admin-portal/get-started/samsung-knox-firewall-exceptions/
Try a different WiFi network. Looks like it gets so far and is perhaps then unable to reach a particular service to complete the setup. Not experienced this myself though.
*Thread Reply:* hey @Robert Schafer, thanks for the link I hadn't seen that before. I tried on my home Wi-Fi as well as tethering from my phone but getting the same experience. not sure what i'm missing
*Thread Reply:* Are you sure the JSON is correct, no typos or spaces? You can check here, by copy pasting the string from the KME profile to: https://jsonlint.com
*Thread Reply:* the json is correct. i thought once the device connects to the internet it would go through the kme steps on its own. i shouldnt need a qr code or another device set up with the know app to enroll right?
*Thread Reply:* @brob did you try a hotspot from your phone? or just a good old restart of the phone?
*Thread Reply:* yes, i tried the hotspot from my phone and have reset the phone a bunch of times
*Thread Reply:* is it just one phone or all of them?
*Thread Reply:* im just setting this up for the first time so its just one test device which is assigned the profile in kme. i opened a MS ticket and they confirmed i set everything up correctly and they recommend reaching out to Samsung to investigate. since i havent set it up before im wondering if im missing something but it seems everything has been configured correctly per the docs at least
*Thread Reply:* well i do see this screen quite often but it should pass it within like 20-30seconds, maximum 1 minute
*Thread Reply:* it gets past that screen but then just proceeds through the setup like a personal device and doesnt enroll
*Thread Reply:* Apologies, I didn’t realise you got past the screenshot you posted. Can you pop a screenshot of your KME configuration? (Scribble out the token) I’m sure it is right, but just to be sure.
*Thread Reply:* thanks: {"com.google.android.apps.work.clouddpc.EXTRAENROLLMENTTOKEN":"XXXXX"}
*Thread Reply:* I see nothing wrong with that, as you said yourself it’s correct. If you are able to enrol a device using the QR code in Intune with that same token, it sounds like something device specific. I would suggest trying a different device. You could also after switching the device on as a normal consumer device, update the OS, reset and try again, in some rare cases this has worked for me.
Hey folks, does anyone here know how to configure WDAC for Windows 10/11 so that it can be overridden by a user with local admin privileges in a scenario where we need to install a single application on a single device?
*Thread Reply:* In general, this would not be possible (as it should, apps should be packaged and distributed with appropriate WDAC rules). But there are some workarounds, here are some: https://www.reddit.com/r/Intune/comments/14bkfad/can_local_admin_bypass_wdac/
*Thread Reply:* The "solution" is to disable the policy with a PS script and reboot the devices. You have a short period to install the app before the WDAC policy kicks in again. If more time is required, you can disable the Intune management service.
HI all
apologize if the question has been asked several times but I could not find it...
we use Intune as our EMM and our mobile phones resellers add devices to Zero Touch for us. we have defined a default configuration in the Zero Touch called 'Corporate-owned devices with work profile'.... however all mobiles added by our resellers do not get assigned this one but one called 'Enterprise Default Profile'
from what I read this is because a link as been made between Zero Touch and Intune ... that was done by somebody who left our company and I have no idea how to unlink. Can anybody help ?
*Thread Reply:* Hi, you should be able to see this ‘Enterprise Default Profile’ in the Zero Touch portal under Configurations. Also you should be able to assign your configuration to all devices by going to Configurations, no matter what somebody else configured before.
*Thread Reply:* It could also be any of the below options
If devices are automatically being assigned to that profile (without enrollment) then possibly the reseller is including the ProfileID in their uploads to map it to this profile
Or
You have the wrong Token assigned to your profile from Intune so devices that are enrolling are being enrolled into the wrong profile.
*Thread Reply:* I'm not seeing any configurations called Enterprise Default Profile in Zero Touch portal and if I manually assign the profile I'd like to be the default to a device than that devices provisions properly.
we also checked and none of our 2 resellers include any ProfileID in their uploads
*Thread Reply:* note and it might have its importance: the default profile we want would be a "Corporate-owned devices with work profile" as opposed to a Fully Managed
@Bruno Bavaresco has joined the channel
@Nassim ZIHOUNE has joined the channel
iOS 17.3 update reenrolls some ADE devices in Intune, leaving them supervised but with no enrollment profile…
Have anyone else experienced that some iPhones and iPads that are enrolled via ADE/DEP seem to reenroll during the update to 17.3? I have a customer with around 40-60 devices out of 500 have experienced this. The problem is that the enrollment profile disappears so all the policies and apps that we push using that as a filter or dynamic device group are removed from the devices 😞
Is there a need to define the radius server in a WiFi profile for Android Enterprise devices on 13 and newer or is that optional?
*Thread Reply:* AFAIK it is mandatory. We had a discussion with the community around May last year. RADIUS server hostname or domain (depending on how it is configured on the RADIUS side).
*Thread Reply:* ufff, okay, thanks for letting me know, might have to tweak our profiles then
*Thread Reply:* Based on my experience with Samsung Android 12+ devices and Workspace ONE UEM : • Domain = RADIUS server hostname or domain • Root Certificate = crt file with Root CA followed by Issuing CA
*Thread Reply:* For Android 11 and older, no need to add the Domain field or the Root certificate
*Thread Reply:* the Root CA was already in place and it worked for some time, but now I heard first complaints so I will have to look at the RADIUS part here
*Thread Reply:* IIRC this was something enforced by Google on Android 11 mid release via a security patch.
*Thread Reply:* The strange thing is that it didn't really affect anyone until mid 2023
*Thread Reply:* with return to office going on this is why
*Thread Reply:* at least I think that is why this slipped through for me until now
*Thread Reply:* It affected devices starting December 2020 but we really didnt see it pop up until users returned to office
@Toby Sansome has joined the channel
Hi Folks, we're rolling out some Samsung A53s with a COPE/Intune setup and would like to be able to locate the devices if they are lost. Does anyone know of a way to force the app permission for Intune to always have access to device location? I know it is possible to manually turn this on (from MS - "For corporate-owned work profile devices running Android 12 or above, also have the user of the device enable location permissions by navigating to Settings > Apps > Intune (in the Work tab) > Permissions > Location > Allow all the time."), but it would be great if the users didn't have to go through this process.
@Darius Russell has joined the channel
VPP Outlook app update on iOS results in-app update popup loop. Volume Purchase Program (VPP) iOS outlook app that is distributed through Apple Business Manager on iPhone's fully managed by Microsoft Endpoint Manager (Intune).
Update of the app and a managed device picks up the availability of the update, the iPhone will show an alert with the following format:
"<OrganizationName> is about to update the application <ApplicationName>"
The user is presented with two options in the alert: Cancel or Update.
For few iPhone's, it does not matter which of the two options the user selects, the popup will immediately reappear.
If I check the app version it is already on the latest version available.
Has anyone else seen this issue?
*Thread Reply:* The app is in use. iOS will not allow an update if the app is in use. Thus the individual using the device is prompted. If OK is tapped, the app will quit and be updated.
You have automatic updates enabled on your vpp token? I've only ever seen this if auto update is not enabled.
It is happening more and more that even though a user is in the correct group, the Android configuration will not show up under "Device configurations" within the device details. Digging into this deeper with the reports, the configuration is stuck in pending. No one changed the configuration and other devices don't have that issue - seems only new enrollments. Is anyone else seeing this?
Yes, the same for removing the configuration as well. Last time I waited 48 hours for the configuration to disappear.
I’m seeing the same issue with a wifi configuration profile I have, the report shows pending and the device itself doesn’t even show the config profile. Weird thing is, this only applies to this profile that I have created only a few weeks ago, older config profiles, also wifi do work. I have a call with Microsoft today where I want to address that
Anyone shed some lights on how to configure SSO extension for iOS devices using PingID.Use case is to have SSO for web servers accessed via edge browser using Intune VPN on iOS devices.
Anyone using Managed Home Screen on dedicated Android devices and have problem to "Exit kiosk". We have hundreds of devices same model, same os, same all... on most devices "Exit Kiosk" works after typing the configured PIN code, but on some devices I just get back to the Managed Home Screen Sign In screen. Ideas?
https://mobile-jon.com/2024/03/05/the-workspace-one-admins-guide-to-intune-part-1
Anyone else having issues with USB transfer on Fully Managed Samsung devices? This stopped working today. No policy has been modified. Samsung update issue?
*Thread Reply:* I am working at the exact same right now!!
*Thread Reply:* Having A52/A54 devices with COPE where users are complaining about the blocked USB.
I factory reseted my device and now I am able to do USB file transfer again. But that is not a solution obviously!
I had a look into the restrictions in the Device Policy App on an affected device (A54):
deviceConnectivityManagement: {“usbDataAccess”: “USBDATAACCESS_UNSPECIFIED”}
On my factory reseted and fresh enrolled device (A54): deviceConnectivityManagement: {“usbDataAccess”: “ALLOWUSBDATA_TRANSFER”}
100% sure it is the same policy and groups for those two devices...
*Thread Reply:* Interesting. 🤔
How did you retrieve that information from the device - ADB?
*Thread Reply:* Open work play store, search for Android Device policy. open the app from there (as it does not show up on Homescreen).
Tap on “device info that your it admin can see” > tap multiple times on “model” (5-7 times) go back Tap on “policies that affect your device” > 3 dots > enable “view policies”
scroll down the list to “deviceConnectivityManagement” (list is sorted alphabetically) and look at the values (you can also tap on it)
*Thread Reply:* I am now raising a case with Microsoft…
*Thread Reply:* @Mikey2000 Maybe I have found an easy workaround for this. just open your config in intune admin portal, click on edit and save the config without any changes being made.
does this solve the issue for your devices?
*Thread Reply:* You mean the restrictions?
*Thread Reply:* yes. the policy you rollout to your devices. https://intune.microsoft.com/#view/Microsoft_Intune_DeviceSettings/DevicesAndroidMenu/~/configProfiles
*Thread Reply:* I will give it a try
*Thread Reply:* i found a value mismatch in the json files (graph api).
we have two policies with same values in the intune ui but they reflecting different values in the resulting json stored in the service:
left side: the values of our production policy. right side: the values after i did the NOP edit/save.
*Thread Reply:* Very interesting!
*Thread Reply:* came across this mismatch because we have another test policy with the same settings but the file transfer was not blocked while my test device has been assigned to this policy. null is not the same as false
maybe some (failed) data migration within MS universe…
let me know your outcome on this, I am still waiting for the policy to be applied on our devices to see what happens. I think it should solve the issue!
*Thread Reply:* https://developers.google.com/android/management/reference/rest/v1/enterprises.policies#usbdataaccess
*Thread Reply:* Google updated the default policy to have USB file transfer disabled
*Thread Reply:* So you’ve just experienced some of the perils of AMAPI and Google changing defaults on a whim
*Thread Reply:* Dummy editing the restrictions solved the problem
*Thread Reply:* @Matt Dermody Thanks, but in my opinion it does not explain why one of my Intune policy sets did work like charm without any changes to it and the other one needs a “dummy update” to save the correct values.
Fixed for us, however.
Anyone seeing VPP iOS app issues being downloaded and installed to devices? Got a case raised with MS but no joy yet. Both supervised and non-supervised devices seem to be having issues
Well, it is intune. It deploys apps whenever it feels like it.
*Thread Reply:* Can’t be mad at that comment as it’s so true 🤣
*Thread Reply:* Yeah but we’re defo seeing a VPP issue. Unknown VPP error code is what we’re getting against all apps deployed
*Thread Reply:* I heard Apple had some VPP issues recently. Probably effecting a few EMMs 😢
How can I restrict any screenshot taken while been in Work profile (Android) to NOT save in personal profile > Files app on Pixel device or any Android flavour ? Any restriction profile can take care of this ?
Update to QPR4 in Android 13 or Android 14, and it will change out to work profile by default. Prior to that all you can do is block screenshots outside of Samsung
Yes, deny screenshots all together. I mentioned Samsung because they fixed the screenshot location in knox eons ago
*Thread Reply:* Gotcha ! .. so in BYOD scenario, can we block screenshots collectively for Android 14 and below via profile right ? @Jason Bayton
*Thread Reply:* Okay - so even downloads happens the same way like screenshots ?
*Thread Reply:* Two completely different things lol, but downloads will save in whatever profile they're accessed through
What I have always told customers is do not fixate on preventing screenshots. Nothing prevents an end-user from taking a screenshot of a device with another device.
*Thread Reply:* agreed. Some form of water marking feature might help.
*Thread Reply:* I'll just point my screen at any other device in my house, car or pocket and take a picture. When folks want to do something, this method of blocking screen shots won't really prevent that.
Is anyone else seeing the issue where File transfer and Image transfer not working for Intune-enrolled Android devices via USB? Even if there is no restriction applied.
*Thread Reply:* Might help if you read the prior messages in channel first ; )
*Thread Reply:* https://mobilxperts.slack.com/archives/CH3A5MY5D/p1710328286551499?thread_ts=1710326217.821089&cid=CH3A5MY5D
*Thread Reply:* Ah, I recall reading this thread, but somehow it slipped my mind. 😅 Thanks for the reminder!
Is anyone here able to get the Microsoft Entra (Azure AD) Object ID of a device with the help of the Microsoft Entra Device ID that you can get from Intune using Graph API?
Ideally without first getting all devices out of Entra and then looping through it until you find what you need. I’m looking for a call that can be run just using the Device ID so I only get back what I need and not everything
*Thread Reply:* Have you tried the Graph API GET /devices/deviceID API call? I’ve never tried it to retrieve objectID specifically but can certainly try that tomorrow if I get a chance
*Thread Reply:* What’s the use case for needing the objectID out of curiosity
*Thread Reply:* I tried that one, but that only works with the Object ID, if I put in the Device ID which is also part of the Object, I get nothing back 🫠
*Thread Reply:* I’m trying to get an app installation report from Intune, then use the information from there to update a device group that is in Azure
How often does Intune evaluate sessions for being compliant with conditional access? We have had a few users on BYOD devices manually remove the MDM profile. but they retain email access for a bit until Outlook mobile app recognizes they are no longer "compliant". Is that normal?
Is there a setting I am missing in Intune? I haven't needed to daily Intune for a few years since my current company didn't use it as an MDM (until now) wouldn't be surprised if I missed something.
*Thread Reply:* I’m assuming this is for iOS devices as with an Android device unenrolling the device would pull the work profile together with Outlook in it. I don’t know how often Intune checks, but from my experience after removing the profile the token is usually pulled within 30-60 minutes so users also lose access to Outlook. Most of the time it doesn’t happen immediately, as that is what I also expected when I started working with Intune.
*Thread Reply:* Yep as Jay has alluded to, I'd say it's the token on the device too. The token has a lifetime that is separate, and Conditional Access may have a delay in kicking in due to this token lifetime.
2 ways to combat it could be using App Protection and having a tight "recheck for access" frequency (alongside conditional launch), or investigate token lifetimes here https://learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes
*Thread Reply:* Awesome thanks for that info. The second wrinkle in this is we are just piloting Intune as the mdm. Currently use Ivanti Neurons. But we are using the partner compliance feature.
So we also have users still on Ivanti Neurons who manually remove their MDM profile on BYoD. Their device doesn’t always report back that they removed management so Neurons thinks it’s still enrolled+compliant. So it reports to Intune it’s still compliant.
And they keep email access until their last device check in hits our automatic aged clean up rule.
But that’s more of an Ivanti issue from what I understand. I'd have to do a really tight last check in compliance policy to catch those devices. Nothing on the Intune side can fix that afaik
@Inbal Meshulam has joined the channel
Part 3 today: https://mobile-jon.com/2024/04/03/the-workspace-one-admins-guide-to-microsoft-intune-part-3-apps/
Friends!
I have a Google Play app delivered to us in a closed test track. Previously ver 2.6.36 of the app was assigned to a group of dedicated Android devices. When a new version, 2.6.39 was released to us I removed the check box for the previous version and marked the checkbox for the new one, expecting that the app should be upgraded on all devices, but nothing happens at all. Any idea whats wrong?
*Thread Reply:* I think the best approach is to promote the release to production. How much time did you wait? If I remember correctly there is a limit for the number of devices in a track, maybe it is related.
*Thread Reply:* How long has it been, and are the dedicated devices in kiosk?
*Thread Reply:* It published the update 4 days ago so all devices have synced since then. Did the same on a separate assignment for my device, installing ver 2.6.36 and then checking version 2.6.39, nothing happens. I have forced syncs both locally and via Graph API, but no updates. The strange thing is that I have several devices installed with the later version, but they are not updated from the previous version.
Could it be something that the app-developer must accept or grant in their Google Play console? Any changes made there recently that might cause the app to not install?
*Thread Reply:* On my test device without any previous install of the app, I assigned the latest version and that works. So problem seems to be upgrading from 2.6.36 to 2.6.39. Confusing!
*Thread Reply:* Is the update signed with the same signature? With any affected device can you pull a bug report?
*Thread Reply:* I dont know if it is signed with the same signature, its a 3rd party developer. I can try to get in touch with someone. Would that explain the behaviour? Possible to install separately but not possible to update?
*Thread Reply:* That would do it, and a bug report would confirm it
*Thread Reply:* ok, interesting. Is it a dumpstate log you need or how do I collect such log?
*Thread Reply:* https://bayton.org/android/how-to-capture-device-logs/
:) full BR
*Thread Reply:* Do you see on app page on PlayStore app on the targeted devices that account is part of the beta program?
*Thread Reply:* Ah ok, the good old developer "mode+USB to PC trick"
Do you know if I can find the information needed if I collect logfiles via Knox Asset Intelligence? All our devices are remote
*Thread Reply:* You can do it with several mdm? Do you use one?
*Thread Reply:* Yes, we use Intune (call it MDM or not:) ) But we also use Samsung Knox Asset Intelligence where we can collect diagnostics from the device, dumpstate logs etc, and I wonder if I can find the neccessary information there
*Thread Reply:* I don't remember if we can do it with Itune, but I think not 😞
*Thread Reply:* I can't say I've dabbled with asset intelligence so... Pull everything it offers?
*Thread Reply:* logfiles from the device with the previous version installed: Enactor ver 2.6.36
*Thread Reply:* Sending another one soon when trying to update
*Thread Reply:* com.enactor.mobile.android.pos.EnactorMobileClientCustom
*Thread Reply:* This is getting even stranger. I just tried again on my test-device to upgrade from .36 to .39 and for some reason it worked. The app assignment looks exactly the same for my test device as for the device in production
*Thread Reply:* The only thing differs is the update priority which for my test-assignment is set to "High priority" Can´t see that it should make any difference more than that the app won´t be installed until next maintenance window (nightly)
*Thread Reply:* over 2k lines of your package name in the log is taking me a bit of time 😄
*Thread Reply:* so the one that works has high prio set, but the other is just aligned to window?
*Thread Reply:* Yes, The assignment with "Default" prio assignment is the one that does not work.
All devices has a restriction policy with a "Maintenance window" configured in order for updates not to occur during business hours. As far as I understand, the update priority "High Priority" just overrides the restriction and other conditions and installs the app asap. In this case I expected the app to update during the nightly maintenance windows during the weekend.
*Thread Reply:* How long are your windows? If the app doesn’t come down during the period it won’t install outside of the window either
*Thread Reply:* NM I see it, 5 hours. That should certainly be enough
*Thread Reply:* 04-08 12:08:31.514 10243 5077 5640 I Finsky : [61] zvu.d(7): PIM: Loading icon for: com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.515 10243 5077 5660 I Finsky : [69] jtq.apply(56): SCH: Scheduling 1 system job(s)
04-08 12:08:31.515 10243 5077 5640 I Finsky : [61] scc.d(117): Waiting for bitmap for com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.515 10243 5077 5660 I Finsky : [69] acbe.d(246): SCH: Scheduling system job Id: 9592, L: 32279472, D: 33179472, C: false, I: false, N: 0
04-08 12:08:31.521 10243 5077 5077 I Finsky : [2] scb.agQ(21): Received bitmap for com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.522 10243 5077 5640 I Finsky : [61] odp.a(439): PIM: Successfully retrieved bitmap for package: com.enactor.mobile.android.pos.EnactorMobileClientCustom.
04-08 12:08:31.523 10243 5077 26077 I Finsky : [477] acda.a(24): SCH: job service finished with id 9586.
04-08 12:08:31.526 10243 5077 5665 E Finsky : [67] lfd.a(287): PIM: Unable to fetch icon or update session for package: com.enactor.mobile.android.pos.EnactorMobileClientCustom.
04-08 12:08:31.526 10243 5077 5665 E Finsky : com.google.android.finsky.installercommon.InstallerException: Status: 5426
04-08 12:08:31.526 10243 5077 5665 E Finsky : at wnt.a(PG:295)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at atfv.d(PG:3)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at atfx.run(PG:42)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at ncm.run(PG:304)
04-08 12:08:31.526 10243 5077 5665 E Finsky : at java.lang.Thread.run(Thread.java:1012)
04-08 12:08:31.526 10243 5077 5665 I Finsky : [67] scc.b(7): Canceling bitmap for com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.530 10243 5077 5665 I Finsky : [67] pda.accept(66): SCH: Scheduling phonesky job Id: 3-248, CT: 1712570911476, Constraints: [{ L: 0, D: 86400000, C: 1, I: 1, N: 1 },
There’s one..
04-08 12:08:31.787 10243 5077 26070 I Finsky : [472] sim.O(33): IQ: Notifying installation update. [Package:com.enactor.mobile.android.pos.EnactorMobileClientCustom, isid:FmK55HrbTCKIy0Tgc5V02w], status=INSTALL_ERROR, status_code=1010, reason=enterprise_auto_install, tsc=PT0.365S
04-08 12:08:31.791 10243 5077 5077 I Finsky : [2] zvu.ahY(79): PIM: Handling install package event for: com.enactor.mobile.android.pos.EnactorMobileClientCustom status: INSTALL_ERROR, isid: FmK55HrbTCKIy0Tgc5V02w
04-08 12:08:31.792 10243 5077 5077 I Finsky : [2] zvu.ahY(206): PIM: Stopping icon download for com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.793 10243 5077 5077 I Finsky : [2] scc.b(7): Canceling bitmap for com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.798 10243 5077 5077 I Finsky : [2] ouy.r(174): DL: Data loader session turned off due to Incremental install not requested: com.enactor.mobile.android.pos.EnactorMobileClientCustom
04-08 12:08:31.801 10137 3030 24113 I HoneySpace.InstallSessionSourceImpl: onFinished 7793431, false
04-08 12:08:31.801 10243 5077 26087 I Finsky : [486] xtt.l(17): Session is stale, session is not alive: getNames not allowed after destruction
04-08 12:08:31.802 10243 5077 26087 I Finsky : [486] aatm.a(742): SM: Session with Context {name=com.enactor.mobile.android.pos.EnactorMobileClientCustom versionCode=60} was closed or abandoned in a consumer.
04-08 12:08:31.802 10243 5077 5077 I Finsky : [2] adfo.apply(359): IQ::HLD: ongoing installs that pauseAppUpdates callers must wait for: []
04-08 12:08:31.804 10243 5077 5581 I Finsky : [54] llx.b(25): AU2: Failure History successfully updated for package com.enactor.mobile.android.pos.EnactorMobileClientCustom, attempting to upgrade to version 60 with install reason ENTERPRISE_AUTO_INSTALL and status_code 1010
04-08 12:08:31.814 10243 5077 26093 I Finsky : [489] aatm.a(791): SCU: Successfully abandon the session for com.enactor.mobile.android.pos.EnactorMobileClientCustom[iid:85] [isid:FmK55HrbTCKIy0Tgc5V02w]
There’s two
Seeing lots of errors but no obvious reason why yet
*Thread Reply:* Sorry if I was unclear, this log was collected while the old version was installed but before I assigned the update. My idea was to collect new logs when the app "did not" update. But now it did
*Thread Reply:* oh, well then that was not worth the time to check it, LOL
*Thread Reply:* Thanks anyway! appreciate your help!
*Thread Reply:* @Jason Bayton Here´s some new logs from a device I expected to get the new version of the app during last nights maintenance window. If you don´t have anything better to spend your time on I appreciate if you take a look at this. 🙂
https://mobile-jon.com/2024/04/10/securing-local-administration-with-microsoft-intune/
Does someone understand the reason for this change? Why would they take the registration part out of the process and make it a standalone thing? What is the benefit of this?
For those who are interested, wrote something on patching Windows devices on Intune: https://mobile-jon.com/2024/04/16/deep-dive-into-windows-patching-with-microsoft-intune/
@Patrick McGlynn has joined the channel
App Update issues! We have a serious issue with Android devices not updating apps automatically as expected. • Android dedicated devices • Restriction policy with a Maintenance Window configured (01:00 to 06:30) • Apps assigned as required and update priority set to Default I expect the apps to be auto updated nightly, but alot of apps are "stuck" in pending update. If I manually start Google Play I see all pending updates and can tap "Update All" and all apps are updated. As far as I understand, maintenance window should override all other conditions and it should not matter if the app is currently active etc. Any one with similar experience? Any ideas?
*Thread Reply:* Have you gotten logs to debug? I guess they're in kiosk?
*Thread Reply:* Hi Jason, These are the same devices we discussed earlier. What we have found out is that the app "Enactor" that we thought didnt update in fact was updated on the device, but it was not reported back to Intune. When remoting the device and opened Google Play, I realized that there were several other apps with pending updates, including Intune Company portal and Android Device policy apps. These devices are enrolled as dedicated, but without Managed Home Screen, so not in kiosk mode.
*Thread Reply:* I happily collect some dumpstate logs 🙂
*Thread Reply:* It should also be said that these devices always have the "Enactor" app running, and they are also connected to an external monitor using Samsung DEX
*Thread Reply:* This dumpfile is from a device that I recently (today) manually opened Google Play and ran "Update All" on
*Thread Reply:* I will collect logs from a device that is not manually updated, 1 min...
*Thread Reply:* This is from a similar device where the apps are not updated
*Thread Reply:* > but it was not reported back to Intune It’s a good thing Intune isn’t important to device management or anything 😛
*Thread Reply:* Where is the AI tool where you can upload dumpstate logs and get an instant solution to issues?!
*Thread Reply:* We haven’t figured out how to overpower the Googler with that knowledge to train the LLM yet
*Thread Reply:* 03-30 14:59:50.544 10292 27657 27896 E AndroidRuntime: FATAL EXCEPTION: pool-8-thread-5
03-30 14:59:50.544 10292 27657 27896 E AndroidRuntime: java.lang.NullPointerException: Attempt to invoke virtual method 'com.enactor.mobile.android.pos.AndroidMobilePOSApplication$State com.enactor.mobile.android.pos.AndroidMobilePOSApplication.getState()' on a null object reference
Probably unrelated but might be something to raise to dev.
*Thread Reply:* What version code/version number are you going from and to?
*Thread Reply:* The Enactor app should be updated from ver 2.6.36 (54) to ver2.6.39 (60)
*Thread Reply:* But I suspect that it is some how related to that Intune Company portal or any other app is not updated. When checking the devices that according to Intune is still on version 2.6.36, they are actually running 2.6.39. When updating the apps manually (Google Play) there are pending updates for other apps than Enactor, and when updating those apps the correct version is reported to Intune
*Thread Reply:* this device certainly still has 2.6.36
*Thread Reply:* are you referring to the device from the last file i uploaded?
*Thread Reply:* yup https://mobilxperts.slack.com/archives/CH3A5MY5D/p1713515380046139?thread_ts=1713512753.432979&cid=CH3A5MY5D
*Thread Reply:* I’m not seeing any obvious errors of it trying and failing to update
*Thread Reply:* ok, strange. I will try to get in touch with the user of this device and remote control the device and recording the session.
*Thread Reply:* The first log i uploaded is from a device where Intune reported 2.6.36 but when checking the actual device it was running 2.6.39. And after manually updating the other pending apps Intune said 2.6.39. But Enactor was not in the list of pending updates
*Thread Reply:* I suppose device policy updating could have triggered a sync?
*Thread Reply:* Im chasing the user of the other device right now
*Thread Reply:* Just managed to remote the other device, but couldnt catch a video) However, you were right (not surprised) Enactor was still on 2.6.36. And when starting Google Play Enactor and alot of other apps were pending update
*Thread Reply:* So Intune might (or might not) show the correct version, however the problem persist, apps are not auto updating as expected 😞
*Thread Reply:* The issue I'm having is with almost every log I'm not seeing explicit references to the schedule or play trying to update, and I don't think it's not happening, I just don't know if the log is capturing it.
*Thread Reply:* On a test device with the old version, could you set a custom window of an hour or so and capture a report just after the window starts, then again just before it ends?
*Thread Reply:* I just came a step closer to the solution
*Thread Reply:* These devices are running in DeX mode with a USB-c cable attached to a USB hub with external monitor and a barcode scanner
*Thread Reply:* Since the Knox Remote tool we use to remote the devices currently does not support Dex, we ask the user to disconnect the device.
*Thread Reply:* As soon as they disconnect the device, Enactor (which is assignes as "High Priority") get updated
*Thread Reply:* Thats why I thought Intune reported wrong version.
*Thread Reply:* So, the problem is related to either Dex as such, or the device beeing connected to a USB switch. I put my bet on Dex
*Thread Reply:* 😯 I wondered if DeX would impact updates but thought nah. That sounds like a support request to Samsung mate
*Thread Reply:* yup I willl verify this on monday when Im back at the office where I have a reference set up of the device with USB hub and all
*Thread Reply:* Big thank you for your assistance Jason! Beers on me when we meet
*Thread Reply:* Not sure if this is helpful but as per Google the devices should meet the below criteria and also the updates will only reflect after 24 hours, we have observed this via WS1 but again it is very inconsistent and intermittent like you are observing on your devices also -
• The device is connected to a Wi-Fi network. • The device is charging. • The device is idle (not actively used). • The app to be updated is not running in the foreground.
*Thread Reply:* Would be interested to join the discussion if required. This is a very big pain point for the apps managed via the Play Store.
*Thread Reply:* I totally agree that app management is a painpoint, its hard to manage business critical apps for frontline workers when we cant tell exactly when they will hit the device.
*Thread Reply:* In this case all conditions were met when it comes to WiFi, charging, etc plus the app is assigned as High Priority which should override those settings
*Thread Reply:* High Priority does not even work in WS1. The device only picks up the update as like when it wants to pick it up but not ASAP.
*Thread Reply:* But when I realized what was causing the issue, it was quite obvious. All "High priority" assigned apps were installed instantly when I unplugged the device from the Dex USB dockingstation
*Thread Reply:* but that clashes with the ‘Charging’ logic mentioned under the prerequisites.
*Thread Reply:* Well, yes. But in this case it was not only charging. We connect our devices to a USB-c dockingstation with external monitor and other accessories via DEX Still not sure if it is related to Dex itself or if it is something with the dockingstation
*Thread Reply:* https://mobilxperts.slack.com/archives/CH3A5MY5D/p1713525888371169?thread_ts=1713512753.432979&cid=CH3A5MY5D I can’t imagine doing that using Intune.
*Thread Reply:* I have no idea if it might be related, but I sometimes use USB-Ethernet adapters to ensure connectivity to Android devices when WiFi and cellular are not available and for some rugged devices that need to run on Ethernet. The issue I see with devices that are connected to peripherals using USB is that if (and this goes for both iOS and Android) the device somehow identifies the connection as either USB-network capable or as an Ethernet-connection, it will prioritize this over WiFi and Cellular.
Again - not sure if this could have anything to do with it, but I would look at the logs when connecting to Dex and disconnecting to see if the network changes. Maybe also Dex has a way of holding on to an app, not allowing it to update while in Dex-state?
Hi, We are seeing this AIP issue in our Mobile devices where the "Add sensitivity" button/option does not show in the Outlook Mobile App for iOS. Users are unable to apply sensitivity labels to emails in the Outlook Mobile app and But in Desktop Apps its working fine. any suggestion ?. #microsoft_o365 #aip #azure #security MDM we are using is Intune
Hello, for the past few days, we've been experiencing issues with some terminals enrolled in Intune. Without even connecting to Intune, suddenly all applications deployed from INTUNE start disappearing, and the Play Store app remains blocked. Upon reconnecting to the network, clearing the Play Store app data, and synchronizing, all apps are downloaded again without any problems. This has been happening for 2 days, and we don't know the reason. It has occurred with devices added directly to the app and restriction group, as well as with users added to the group who, in turn, had devices assigned to them. It seems to be a bug with the Play Store.
Just sharing the final part in my four part series for those interested, AMA webinar coming next month: https://mobile-jon.com/2024/04/22/the-workspace-one-admins-guide-to-microsoft-intune-part-4-security/
EDGE Android Issue!
Strangest thing is happening. We assign Edge to our dedicated android devices with Azure AD. Yesterday version 124.0.2478.50 (247805005) of Edge AI Browser was starting to install on our devices and we ran in to a problem. The app shows a screen saying "Sign in to sync" and Add account. Normally edge should just automatically sign in to the signed in users account. Pressing the "Add account" button results in that the app is just "thinking" spinning blue cirkle and nothing more happens.
The most strange thing is that the official version according to Google Play and Microsofts release notes is 123.0.2420.102 (242010205). And if you Google "124.0.2478.50 (247805005)" you get information about Edge BETA, which we dont have assigned to our devices. How can ver 124.0.2478.50 (247805005) be installed on our devices?
Testing the exact same thing in our QA tennant, we just see ver 123.0.2420.102 (242010205)
Anyone expetiencing this? Any ideas why?
Clear Data & Cache from app system settings may solve the issue as a workaround. Have you tried it?
Hi Daniel! Yes, tried that. After a while of "spinning circle" the app crashes and the device suggest to clear the app cache. But doesnt help. And again, the most strange thing is that the 124-version doesnt seem to officially exist, so why do we get it installed in the first place.
Anyone else seeing issues today with OAuth authentication on an ActiveSync profile? Untill today the installation of an ActiveSync profile on an iOS device using OAuth worked fine. Suddenly today this stopped working. It does goes into an endless session trying to login to login.microsoftonline.com. Other apps work fine.
*Thread Reply:* It seems like the during the configuration of the profile it thinks that the device is not registered. Which it is, and compliant as well.
*Thread Reply:* Just heard from other customers with the same issue (also as per today). Fixed by creating an SSO Extension configuration.
KVPs: browserssointeractionenabled EnableSSOOnAll_ManagedApps
please share your expert views about choosing the best solution for BYOD with #Apple #AccountDrivenUserEnrollment (AUE) vs #microsoft_intune WebBased Device Enrollment ! which is the best fit for Users. #apple #microsoft #byod
Chapter 2 A day later we realized that Edge was updated again, and the version was back to 123.0.2420.102 and SSO was working. We quickly uninstalled Edge on all our devices and reinstalled it again, problem solved... temporary. Chapter 3. Tonight Edge was updated again (on Google Play) to version 124.0.2478.62 and now the SSO issue is back!!! THIS IS A VERY SERIOUS ISSUE CAUSING SEVERE ISSUES!
I wanted to share something on Passkeys I wrote today (useful in general regardless of where you are working since its coming and coming fast): https://mobile-jon.com/2024/04/29/demystifying-passkeys-and-extending-microsoft-entra-with-passkey-authentication/
Wanted to let everyone know me and another MVP are doing a AMA the end of the month all about people moving from VMware's MDM to Intune (I built a tool to migrate Windows devices without needing to wipe them): https://events.teams.microsoft.com/event/1d2cb920-9978-4105-ac6d-ebf2bf27c2b7@d2e17a63-6944-4f67-b776-53640b6bd0f7
*Thread Reply:* I did too so I'm curious how you did it. Registered
*Thread Reply:* hey @jon towles will it be Windows focused or will other platforms be discussed as well?
*Thread Reply:* Windows focused as our migration tool is for moving windows devices
*Thread Reply:* If you have a specific request I might be able to do it in a later webinar
Just thought I’d share the start of my latest series: https://mobile-jon.com/2024/05/06/windows-11-best-practices-part-one-onboarding/
Hello! Has anyone managed to add a widget (like time and date) on the home screen of Microsoft Managed Home Screen? Please share how 🙂
Thought I'd share Part 2 for those who might be interested: https://mobile-jon.com/2024/05/14/windows-11-best-practices-part-two-security/
Can we set "full device level passcode" on Android if it's "wok profile" enrolled type device ? Or we can set both "work profile" and "full device level passcode" ? Or just set and manage only "work profile" level passcode. Any inputs ?
*Thread Reply:* Both, all, none, whatever you want.
If it's personally owned and newer than 12 it'll revert to a complexity bucket Vs an explicit requirement on the parent profile, but it'll apply nonetheless
*Thread Reply:* Can we set biometrics for work profile unlock ? @Jason Bayton
Hey all, anyone seen Android devices, managed by Intune, have MS Defender VPN randomly show “Disabled by your Administrator”?
I can see the VPN profile is installed as well as the Defender app configuration profile. We actually had a business impacting issue back in April that seemingly self resolved, and have since had a few devices have this crop up since.
Currently have a MS Support case open to help us out, but if anyone else has seen this and has any thoughts or ideas, it would be greatly appreciated.
*Thread Reply:* What type of enrollment? And assuming that’s an erroneous block from Android and not the application?
*Thread Reply:* COPE enrollment. The error manifests by Defender showing a not connected status, when a user launches Defender the “Disabled by Adminsitrator” messaging exists and any apps that require VPN, do not connect.
Since Intune doesn’t have a great way to remove and re-apply profile I’ve created an exclusion group and am in the process of seeing if that could be a workaround.
*Thread Reply:* FYI, we have a Microsoft case open still with limited progress, the workaround we’ve found so far is to use an exclusion group (which we had setup with no members already for troubleshooting purposes) to our primary VPN profile and then explicitly target the exclusion group to a parallel identically configured VPN profile and this “resolves” the issue - of course manually adding users to the exclusion group.
*Thread Reply:* Microsoft is indicating the Defender app config must be included in the “custom settings” of the vpn profile. We are still waiting on clarification there as the documentation only indicates this is necessary if using Defender for MTD
*Thread Reply:* We did move to Custom Settings within the VPN profile, in place of the MS Defender App Config, at least on Android and this has solved our issue. We will continue to monitor.
For those interested, we are hosting an AMA and demo discussing our WS1 to Intune migration tool and the overall journey in less than two weeks: https://events.teams.microsoft.com/event/1d2cb920-9978-4105-ac6d-ebf2bf27c2b7@d2e17a63-6944-4f67-b776-53640b6bd0f7/registration
*Thread Reply:* Teams wouldn't work for me. So link to recording and migration tool?
*Thread Reply:* __ Microsoft TeamsNeed help? Join the meeting now Meeting ID:234 860 762 74 Passcode:XGjE8B
Dial in by phone
*Thread Reply:* Still didn't work. We've been able to migrate with PowerShell scripts. Was really wanting to hear how you did it. Slides, recording, are you offering the tool?
Hi All, In Intune how do we do Android EMM integration with Gsuite? do we just have to login with company gmail account?
Hi, is there a way to block IPs the same way we can block URLs on iOS using a config profile?
What's the preferred method for the Android Enterprise bind today? The Intune docs still mention the "use a private Google account for Managed Play Accounts" process, but I learned from Jason's FAQ (and the Google docs) that this method is deprecated.
BTE isn't supported by Intune afaik, so carry on as normal
You'll be migrated automatically towards the end of the year to the new experience if you can't get on it now
We were planning to migrate our Windows 10 devices from WS1 to Intune. However, the service provider imaged all the machines, and they no longer have a recovery partition, which is required for a factory reset and, consequently, for Autopilot enrollment. Do you have any ideas on how to recreate the partition remotely without having to return those devices to the service provider?
*Thread Reply:* Remotely? While not being managed somehow yet? That won’t really be possible as you would need to run, at least, some scripts. I would send them back to have them re-setup
*Thread Reply:* They are WS1 managed at this moment, we were planning to migrate from WS1 to Intune.
Hi All,
Sharing the latest part in my Windows 11 Best Practices series where we cover WDAC, Device Control, EPM, and more. Hopefully people enjoy as these are some of the more complicated capabilities in Windows that continue to evolve.
https://mobile-jon.com/2024/06/03/windows-11-best-practices-part-three-security-advanced/
Hello! Anyone knows how to prevent Android apps from going in to "Deep sleeping"? The devices are Samsung Galaxy Xcover and they are managed in intune as Dedicated devices with Managed Home Screen enabled.
*Thread Reply:* Yes, I think maybe "Battery optimization allowlist" can prevent apps from getting into deep sleep. Next question is how to enable apps that are already in deep sleep. Only way I found so far is to reinstall the app (which we all know is not a fun thing in Intune)
The problem is when apps go into deep sleep they disappear from Managed Home Screen
*Thread Reply:* You can do it if they’re galaxies I believe. You just leverage the Knox service plugin settings
@Nesrin Kalender has joined the channel
“Contact your it admin this device will be erased 9 days left Problem | This phone will be erased” Anyone ever seen this message when enrolling an Android device using an enrollment token of the type Corporate-owned dedicated device with Microsoft Entra shared mode?
*Thread Reply:* So far yes, trying the other mode now. What confuses me is the same properties for that token work in one Intune tenant and in the other one I get that message
*Thread Reply:* That’s what I also thought, that’s why I unassigned the two policies I had, but no difference. Trying now with a token that has no shared mode and corporate-owned fully managed user device instead
*Thread Reply:* The other token enrollment works, resetting now and then try the other shared token again.
*Thread Reply:* As soon as I enroll in shared mode I get this, after being on the home screen for like 30 seconds without touching the device.
*Thread Reply:* I have no compliance policies assigned to the device and still get this. Could this also be a conditional access policy instead of compliance policy?
*Thread Reply:* I’ll also unassign the config profiles I currently have assigned to see if anything changes
*Thread Reply:* Don't you always need at least one compliance policy in Intune for devices to be compliant? I initially thought you might have a conflicting zero-touch configuration, but apparently not the case if the QR code enrollment works
*Thread Reply:* So usually if you don’t have a compliance policy assigned the default compliance policy marks your device as non compliant, which would be okay. But this message overlays the screen and there is nothing I can do but press the three dots in the corner and either sync policies which doesn’t change anything or factory reset
*Thread Reply:* Does it look like it has a policy assigned in Intune?
*Thread Reply:* No, no policy assigned. I removed all the configurations, then the device went from that overlay to the home screen. I then added the config for my managed home screen back and that worked, but it is not accepting all the settings in there, like the amount of seconds before it turns of the screen which is weird too
*Thread Reply:* I opened a ticket with Microsoft now, because it is really not clear why the device keeps turning of the screen like that
Conditional Access question
We have Android Enterprise Work Profile for BYOD. I can use Edge to authenticate in the work profile and it passes our "require device to be compliant" CA rule check. But if you use Chrome in the work profile, it gets blocked by that same CA policy.
According to Intune documentation Chrome and Edge are supported on Android for this type of policy. But it seems only Edge is working. Is there a setting in Chrome that needs to be adjusted for this to work?
*Thread Reply:* Hi @Rob B
you have to export the CA certificate manually to the device. You open the company portal app, open menu (burger menu top left), go to settings and tap on “activate” on “Allow Browser access”.
*Thread Reply:* This will install the CA certificate into the system store for certificate and makes it accessible for chrome.
*Thread Reply:* Interesting. Ill have to try that out.
We currently have devices enrolled in Ivanti Neurons, but are passing compliance status via the Intune Partner compliance connector.
Since those devices don't use the Company portal app, I don't think it would fix the issue for those devices
*Thread Reply:* Have a look into the authenticator app. I believe there is a similar functionality under the MS account / registered account entry.
*Thread Reply:* Consider removing the chrome app and make the Edge browser default for work profile 😉 We did this long time ago and never regretted.
*Thread Reply:* Ill take a look at the auth app. Thanks @Daniel
For this interested, the final part of my multi-part series on windows 11 best practices focusing on user experience is out now: https://mobile-jon.com/2024/06/17/windows-11-best-practices-part-four-user-experience/
I mean it’s a start for something people have been asking for from day-1!
*Thread Reply:* Wow I didnt even realize Intune didn’t already have that capability. Man it really is worse than I thought. 🗑️
Hi all! Anyone aware of an option for blocking Android app updates for longer than 90 days?
*Thread Reply:* Zebra devices have the ability to block specific app upgrades from Google Play permanently through their MX configuration layer. This is OEM specific however and I don’t otherwise know of any baseline AMAPI features to disable upgrades
*Thread Reply:* Afraid not, unless there are OEM options as Matt points out.
You could try dabbling with network firewalls but it's tricky without hurting management overall
*Thread Reply:* Mobile app version control with Google Play is generally abysmal
Wanted to share my recent article on handling missing trusted publishers in Word that coincides with Office App Security Baseline best practices: https://mobile-jon.com/2024/07/08/fixing-issues-with-add-ins-and-office-apps-security-baselines/
Is anyone using AOSP user affinity enrolment in Intune here? If so could you share with me an example QR code? https://learn.microsoft.com/en-us/mem/intune/enrollment/android-aosp-corporate-owned-user-associated-enroll
I will not be enrolling, just tearing it down. I’ve lost access to intune again :)
*Thread Reply:* Thanks Dan and Mark, all sorted now :)